It seems that finally we have a working shape with gerrit #26486

Refactored the permission check functionality in a following way:

• Removed all presets from MW side, all permission assignments done by mediawiki_standalone_permission endpoint.
• On first access, if Tuleap says anon can read, allow them
• If not ask for login
• After login, if user can read allow them, if not, block them
• After login, assign additional groups for writers and admins if allowed

Change https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapIntegration/+/829164

Only configuration needed on MW side is $GLOBALS['wgGroupPermissions']['*']['read'] = true; This is needed to prevent MW from doing "can user read" checked. We allow all to read, and then integration will block access if needed.

Test with https://gerrit.tuleap.net/c/tuleap/+/26486/7/plugins/mediawiki_standalone/additional-packages/mediawiki-extensions/composer.json -> mediawiki/tuleap-integration": "dev-master#3cbed9085860cf5f41c35ec0f7064a55c414d69f

Made additional fix, already merged in TuleapIntegration, ready for testing

I have tested all combinations, all looks fine

Main issue was that after redirecting to the login page, wiki would still try to render the original page which leads to error. Fixed in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapIntegration/+/826339

Hi,

We just tried this change with gerrit #26486 and it does not seems to work when wgTuleapAccessPreset is set to something different than anonymous. For example if we set wgTuleapAccessPreset to regular the OAuth2 flow is not started and the attempt to retrieve information from the Tuleap API does not end well since the user is supposed to be authenticated.

2022-08-23 09:47:41 web plugin_mediawiki_120: [f891098965c4ebd259c8ebe5] /mediawiki/renamed-issue-007   GuzzleHttp\Exception\ClientException from line 113 of /usr/share/mediawiki-tuleap-flavor/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php: Client error: `GET https://tuleap-web.tuleap-aio-dev.docker/api/projects/120/3rd_party_integration_data?currently_active_service=plugin_mediawiki_standalone` resulted in a `401 Unauthorized` response:
{"error":{"code":401,"message":"Unauthorized"}}

#0 /usr/share/mediawiki-tuleap-flavor/vendor/guzzlehttp/guzzle/src/Middleware.php(65): GuzzleHttp\Exception\RequestException::create()

Implemented as described by Thomas (hopefully :) ) Please see new docu at https://enalean.bluespice.cloud/wiki/Enalean_SAS/Seamless_access#Anonymous_access

Patch at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapIntegration/+/821212

Regarding starting the OAuth2 flow always: I tried this, but if I set the project to "public" in Tuleap, the authorization url wouldn't redirect an anon user to the wiki, but show me a login form instead. Is there anything else to configure?

Yes, you can ask the OAuth2 flow to not display the login form by setting the prompt parameter to none in the authorization URL. When the user is not authenticated on the Tuleap side it will be redirected immediately to the callback URL with the error code login_required (see the specification for more info on the auth request error).

From that you will want to set prompt=none or not depending on the situation:

• preset permissions allow anonymous users: start the OAuth2/OIDC flow with prompt=none, if you get an error code login_required continue as anonymous
• preset permissions do not allow anonymous users: start the OAuth2/OIDC flow without prompt=none (like it is currently done), if the auth request fails for some reasons always show the error page and maybe ask the users to try again

I have created https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapIntegration/+/814850

But this is not exactly what you have proposed. It will load the sidebar also for unauthenticated users. But if a user logs in manually the data may not be updated properly. I need to do some more tests.

Regarding starting the OAuth2 flow always: I tried this, but if I set the project to "public" in Tuleap, the authorization url wouldn't redirect an anon user to the wiki, but show me a login form instead. Is there anything else to configure?

I confirm that on a public Tuleap project on a platform open to anonymous, I'm no longer mandated to log but:

• The Sidebar is not loaded at all
• If I'm logged in on Tuleap and I click on "Mediawiki", Mediawiki doesn't tries to authenticate me so I'm not logged in at all.

For the issue n°2, @tgerbet suggests that MW should always initiate the OAuth2 flow and, when platform is open to anonymous and user is not logged in Tuleap should returns to MW that user is anonymous.

This issue probably was introduced with https://github.com/wikimedia/mediawiki-extensions-TuleapIntegration/commit/0b94e85e52a8ec1c152eb76f41b3aab48555629e

You will need to add

$GLOBALS['wgTuleapEnableLocalLogin'] = false;

to LocalSettings.Tuleap.php.

Sorry for the inconvenience.

gerrit #26270 (Add missing permission setup in MediaWiki settings) integrated in Tuleap 13.10.99.57

@dsavuljesku I gave it a try with the change I just merged + the pending patch on your side but it still seems to forbid anonymous users. Is that expected ?

Change implemented in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/TuleapIntegration/+/809928

See https://enalean.bluespice.cloud/wiki/Enalean_SAS/Seamless_access#Anonymous%20access for docu