XF 2.3 XenForo OAuth troubleshooting help needed MediaWiki

[Bryan_D2]

I'm new to XenForo; our whole forum is moving to XenForo from vBulletin in the next few weeks. We have run into a problem with OAuth talking to MediaWiki. So, after a lot of debugging and troubleshooting, I tried a different solution, using WordPress as an OAuth client and XenForo as the OAuth provider. I end up with the same problem. Data is not being sent back to MediaWiki or WordPress. I also tested via curl and Postman; all results were the same.

I'm trying to find a few things.
1) Any logs related to OAuth on XenForo
2) Is there a further configuration outside of the OAuth that I need to enable on the XenForo side?
3) Is there a better way to troubleshoot XenForo Oauth as a provider?


Error message example
Invalid response received from Auth Provider. Contact your administrator for more details.
Response :
{ "message": "Sorry, we're currently unavailable. Please check back later." }

WordPress:
Error
Token Response Received = {

MediaWiki
For MediaWiki I am using the Extensions PluggableAuth and WSOAuth. For WSOAuth I had to build a custom XenForo provider. If I can get this all working, I hope to share it with the world.
Error
The username provided by the OAuth provider is not valid.
Further logging resulting in this
*Token URI during construction: NULL
*Failed to decode token response: Syntax error
*Raw Token Response: false

Thanks in advance for any help or ideas you can share.

 

[Kirby]

2025-04-27 00:59:49 dev wiki_new-mw_: In WSOAuth\WSOAuth::continueLogin
2025-04-27 00:59:49 dev wiki_new-mw_: Request failed or user is not authorised

Is that all you got in the log for the OAuth login attempt?
With a fresh browser / cleared cookie / incognito tab?

There should be a lot more as shown in https://xenforo.com/community/threa...ing-help-needed-mediawiki.230291/post-1743141

 

[Bryan_D2]

Is that all you got in the log for the OAuth login attempt?
With a fresh browser / cleared cookie / incognito tab?

There should be a lot more as shown in https://xenforo.com/community/threa...ing-help-needed-mediawiki.230291/post-1743141

Yup, I've flushed cache, tried in private mode. Also been testing in FireFox, Brave,Chrome and Safari too.

I also flushed caches in MediaWiki too. ( php maintenance/update.php in the MediaWiki root folder. )

I don't see everthing in your post. I see the calls in the code to write to the log but don't see them. I see the below with special edits and redactions. Again thank you for looking.

wsoauth-xenforo-log
2025-04-28 00:26:55 dev wiki_new-mw_: XenForoOAuthProvider Initialized.
2025-04-28 00:26:55 dev wiki_new-mw_: Auth URI: https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-28 00:26:55 dev wiki_new-mw_: Token URI: https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-28 00:26:55 dev wiki_new-mw_: User Info URI: https://teststar2.astromech.net/xenforo/api/me
2025-04-28 00:26:55 dev wiki_new-mw_: Redirect URI: https://teststar2.astromech.net/wiki/index.php/Special:PluggableAuthLogin
2025-04-28 00:26:55 dev wiki_new-mw_: Auth URI (constructor): https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-28 00:26:55 dev wiki_new-mw_: Token URI (constructor): https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-28 00:26:55 dev wiki_new-mw_: In WSOAuth\WSOAuth::initiateLogin
2025-04-28 00:26:55 dev wiki_new-mw_: login called. Generating authorization URL.
2025-04-28 00:26:55 dev wiki_new-mw_: Authorization URL generated: https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize?response_type=code&client_id=~~redactedcode~~&redirect_ur>
2025-04-28 00:26:55 dev wiki_new-mw_: login output: Key=, Secret=~~redacted~~
2025-04-28 00:26:55 dev wiki_new-mw_: Authorization code dynamically set:
///At this point the browser flips me back to Xenforo.
///Return to Mediawiki page click on Login with XenForo button again
2025-04-28 00:26:58 dev wiki_new-mw_: XenForoOAuthProvider Initialized.
2025-04-28 00:26:58 dev wiki_new-mw_: Auth URI: https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-28 00:26:58 dev wiki_new-mw_: Token URI: https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-28 00:26:58 dev wiki_new-mw_: User Info URI: https://teststar2astromech.net/xenforo/api/me
2025-04-28 00:26:58 dev wiki_new-mw_: Redirect URI: https://teststar2.astromech.net/wiki/index.php/Special:PluggableAuthLogin
2025-04-28 00:26:58 dev wiki_new-mw_: Auth URI (constructor): https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-28 00:26:58 dev wiki_new-mw_: Token URI (constructor): https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-28 00:26:58 dev wiki_new-mw_: In WSOAuth\WSOAuth::continueLogin
2025-04-28 00:26:58 dev wiki_new-mw_: Request failed or user is not authorised

 

[Kirby]

I don't see everthing in your post. I see the calls in the code to write to the log but don't see them. I see the below with special edits and redactions. Again thank you for looking.

I've added a bit more logging, maybe this does help.

///At this point the browser flips me back to Xenforo.
///Return to Mediawiki page click on Login with XenForo button again

Hmm ... that's not how it should work:

View attachment Login-required---Testwiki.webm

 

[Bryan_D2]

Thank you again. No I am not seeing that, but seeing you having that is giving me hope. I can share a video if you want.
I see one thing of note and new in the logs "Error: Could not get code from Array"

2025-04-29 02:22:57 dev wiki_new-mw_: XenForoOAuthProvider Initialized.
2025-04-29 02:22:57 dev wiki_new-mw_: Auth URI: https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-29 02:22:57 dev wiki_new-mw_: Token URI: https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-29 02:22:57 dev wiki_new-mw_: User Info URI: https://teststar2.astromech.net/xenforo/api/me
2025-04-29 02:22:57 dev wiki_new-mw_: Redirect URI: https://teststar2.astromech.net/wiki/index.php/Special:PluggableAuthLogin
2025-04-29 02:22:57 dev wiki_new-mw_: Auth URI (constructor): https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-29 02:22:57 dev wiki_new-mw_: Token URI (constructor): https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-29 02:22:57 dev wiki_new-mw_: In WSOAuth\WSOAuth::initiateLogin
2025-04-29 02:22:57 dev wiki_new-mw_: login called. Generating authorization URL.
2025-04-29 02:22:57 dev wiki_new-mw_: Authorization URL generated: https://dev.astromech.net/xenforo/index.php?oauth2/autho>
2025-04-29 02:22:57 dev wiki_new-mw_: login output: Key=, Secret=~~~removed~~~
2025-04-29 02:22:57 dev wiki_new-mw_: Authorization code dynamically set:
2025-04-29 02:23:04 dev wiki_new-mw_: XenForoOAuthProvider Initialized.
2025-04-29 02:23:04 dev wiki_new-mw_: Auth URI: https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-29 02:23:04 dev wiki_new-mw_: Token URI: https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-29 02:23:04 dev wiki_new-mw_: User Info URI: https://teststar2.astromech.net/xenforo/api/me
2025-04-29 02:23:04 dev wiki_new-mw_: Redirect URI: https://teststar2.astromech.net/wiki/index.php/Special:PluggableAuthLogin
2025-04-29 02:23:04 dev wiki_new-mw_: Auth URI (constructor): https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize
2025-04-29 02:23:04 dev wiki_new-mw_: Token URI (constructor): https://teststar2.astromech.net/xenforo/index.php?api/oauth2/token
2025-04-29 02:23:04 dev wiki_new-mw_: In WSOAuth\WSOAuth::continueLogin
2025-04-29 02:23:04 dev wiki_new-mw_: Error: Could not get code from Array
2025-04-29 02:23:04 dev wiki_new-mw_: Request failed or user is not authorised

 

[Kirby]

I see one thing of note and new in the logs "Error: Could not get code from Array"

Yeah, that's a missing \ in the log message string, should really be
Error: Could not get code from $_GET

So there is no query param code and no error / error_description - this is really strange.

Can you check (using Chrome / Firefox developer tools network tab) where exactly you are being redirected to after authorizing in XF?
My only idea would be that the redirect URL is wrong, depending on your setup it probably could be

https://teststar2.astromech.net/wiki/index.php?Special:PluggableAuthLogin
https://teststar2.astromech.net/wiki/index.php/Special:PluggableAuthLogin
https://teststar2.astromech.net/wiki/Special:PluggableAuthLogin

or smth. completely different if the language is not english.

 

[Bryan_D2]

Thank you again, now lets see if I can get all this into on post. Really convinced it a configuration error at this point. Let me know if you want me to pull more to review.

After I click on Log in with XenForo it dumps into XenForo no pop ups
1st URL in Request Initiator Chain (confirmed in XenForo Admin OAuth setup)

Request URL:
https://teststar2.astromech.net/wiki/index.php?title=Special:UserLogin&returnto=Main+Page
Request Method:
POST
Status Code:
302 Found
Remote Address:
8.8.8.8:443
Referrer Policy:
strict-origin-when-cross-origin

2nd URL in Request Initiator Chain (confirmed in XenForo Admin OAuth setup) DID not match redirectUri in LocalSettings. (Corrected)

General Header
Request URL:
https://teststar2.astromech.net/wiki/Special:PluggableAuthLogin
Request Method:
GET
Status Code:
302 Found
Remote Address:
8.8.8.8:443
Referrer Policy:
strict-origin-when-cross-origin
===Response Headers===
connection:
Keep-Alive
content-length:
0
content-type:
text/html; charset=UTF-8
date:
Wed, 30 Apr 2025 00:11:18 GMT
keep-alive:
timeout=5, max=99
location:
https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize?response_type=code&client_id=0000000000000007&redirect_uri=https%3A%2F%2Fteststar2.astromech.net%2Fwiki%2Findex.php%2FSpecial%3APluggableAuthLogin&scope=user%3Aread&state=RRRRRRRRRRR7RRRRRRRRRRRRRRRRRRRR_RRRR_1RRR

server:
Apache/2.4.62 (Ubuntu)
x-content-type-options:
nosniff
x-request-id:
2b2ed568155a0df2ff16f486

3rd URL Now in XenForo

Request URL:
https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize?response_type=code&client_id=0000000000000007&redirect_uri=https%3A%2F%2Fteststar2.astromech.net%2Fwiki%2Findex.php%2FSpecial%3APluggableAuthLogin&scope=user%3Aread&state=RRRRRRRRRRR7RRRRRRRRRRRRRRRRRRRR_RRRR_1RRR
Request Method:
GET
Status Code:
200 OK (from service worker)
Referrer Policy:
strict-origin-when-cross-origin

 

[Kirby]

Your post confuses me

You've got three different types of MediaWiki URLs in your code blocks while there probably should be just one

https://teststar2.astromech.net/wiki/index.php?title=<title>
https://teststar2.astromech.net/wiki/<title>
https://teststar2.astromech.net/wiki/index.php/<title>

Find out which one is the correct / canonical one and only use this.

Also the last URL you posted is the XF authorize URL - this is not the last URL in the OAuth process.

The process should be like this (example URLs in brackats as they are on my dev system)

1. Access MediaWiki ( https://dev.local/mediawiki)
2. Click the Login link in the upper right corner (https://dev.local/mediawiki/index.php/Special:UserLogin)
   This is the start of the OAuth flow
3. Click the button Login with XenForo (redirects to https://dev.local/xf23/oauth2/authorize?...)
4. Click the button Authorize (redirects to https://dev.local/mediawiki/index.php/Special:PluggableAuthLogin?code=...).
   At this point the OAuth flow has finished.
5. Redirect to https://dev.local/mediawiki/index.php/Special:UserLogin?wpLoginToken=...
6. Redirect to MediaWiki index

 

[Bryan_D2]

Thanks again for the help so far and sorry, to confuse you. Maybe seeing it will help understanding what we are seeing. Below is a quick video of what I am seeing. The Request Initiator Chain photo is from the last webpage in the video. The code replies in the post above are me clicking through the header. Getting together with another person on our team to see if we can find out what really is the correct / canonical url.



Video

View attachment Screen Recording 2025-04-30 at 9.36.32 PM.mov

 

[Kirby]

Thank your for providing the screenshot and video, that was helpful.

I could have already spotted this in your previous post but I missed it - the XenForo authorize URL is not constructed correctly:

https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize?response_type=code...

This must be

https://teststar2.astromech.net/xenforo/index.php?oauth2/authorize&response_type=code...

It happens due to your home-grown code

$authUrl = $this->authUri . '?' . http_build_query($params);

which only works correctly if XenForo is configured for fully friendly URLs (eg. $this->authUri does not contain query params)

I've replaced this with a call to Guzzle Uri:

$authUrl = Uri::withQueryValues(new Uri($this->authUri), $params);

which should work regardless.

 

[Bryan_D2]

THANK YOU!! You ROCK! It is working. I so owe you a drink or two.

 

[Kirby]

Glad it's working now

I'd consider to not use the XenForo username as MediaWiki username as it's not immutable, eg. if a username is changed in XenForo MW will see this a new user afterwards.

 

[Bryan_D2]

Glad it's working now

I'd consider to not use the XenForo username as MediaWiki username as it's not immutable, eg. if a username is changed in XenForo MW will see this a new user afterwards.

Good point, digging more into it I was thinking of using maybe email for this but that that is the same problem as the username. I found that XenForo returns "user_id": 889996, so maybe that could be the driver, and MediaWiki uses a user_id is the primary key. I guess if this was a new Wiki setup we could just try and force the IDs to match. Otherwise I was thinking this would have to all go into a custom table to look up the XenForo ID with the matching Mediawiki ID. At that point I was like hmm, maybe we just let this go as is.

I did turn on migrateUsersByUsername but not sure it really is doing at thing.

In the mean time I was working mapping XenForo group to MediaWiki groups. Ideally, we want the XenForo to be the driver of Wiki user rights assignments too. XenForo on accounts with multiple groups fields in "user_group_id": 2, but not the name of the group. Also it will return, secondary groups too. "secondary_group_ids": [ 3,4 ],