Added debug properties for xwiki but they don't seem to have any relevant effect

oidc.php: autologin/localLogin templated via vars; optionally disable wgPasswordAttemptThrottle when 'web-svc-logout' present

vars: set defaults (AUTOLOGIN=true, LOCALLOGIN=false); use path_join/url_join for clean paths/URLs

Context: https://chatgpt.com/share/68caaf41-d098-800f-beb0-a473ff08c9c5

roles/web-app-mediawiki/tasks/03_patch_settings.yml

@@ -1,5 +1,5 @@
 # roles/web-app-mediawiki/tasks/03_patch_settings.yml
-- name: "MEDIAWIKI | Ensure LocalSettings.php has correct base settings"
+- name: "MEDIAWIKI | Normalize base settings in LocalSettings.php (clean + append once)"
   vars:
     _lsp_path: "{{ MEDIAWIKI_HTML_DIR }}/LocalSettings.php"
     _server_url: "{{ MEDIAWIKI_URL | regex_replace('/+$', '') }}"
@@ -14,46 +14,34 @@
     docker exec -u {{ MEDIAWIKI_USER }} {{ MEDIAWIKI_CONTAINER }} bash -lc '
       set -euo pipefail
       LSP="{{ _lsp_path }}"
+      [ -f "$LSP" ] || { echo "ERROR: LocalSettings.php not found."; exit 1; }
+
       SERVER='\''{{ _server_url_sq }}'\''
       DBNAME='\''{{ _db_name_sq }}'\''
       DBUSER='\''{{ _db_user_sq }}'\''
       DBPASS='\''{{ _db_pass_sq }}'\''
       DBHOST='\''{{ _db_host_sq }}'\''
       LANG='\''{{ _lang_sq }}'\''
-      [ -f "$LSP" ] || { echo "LocalSettings.php not found, skipping."; exit 0; }
+      
+      tmp="$(mktemp)"; trap "rm -f \"$tmp\"" EXIT
 
-      need=0
+      # 1) Copy existing file, but drop ALL prior assignments of our managed keys
+      grep -Ev "^[[:space:]]*\$(wgServer|wgCanonicalServer|wgDBname|wgDBuser|wgDBpassword|wgDBserver|wgLanguageCode)[[:space:]]*=" "$LSP" > "$tmp" || true
 
-      check_line() {
+      # 2) Append ONE clean, authoritative block
-        local key="$1" val="$2"
+      {
-        grep -Eq "^[[:space:]]*\$${key}[[:space:]]*=[[:space:]]*'\''${val}'\'';" "$LSP" || need=1
+        printf "\n\$wgServer = '\''%s'\'';\n"           "$SERVER"
-      }
+        printf "\$wgCanonicalServer = '\''%s'\'';\n"    "$SERVER"
-
+        printf "\$wgDBname = '\''%s'\'';\n"             "$DBNAME"
-      check_line wgServer "$SERVER"
+        printf "\$wgDBuser = '\''%s'\'';\n"             "$DBUSER"
-      check_line wgCanonicalServer "$SERVER"
+        printf "\$wgDBpassword = '\''%s'\'';\n"         "$DBPASS"
-      check_line wgDBname "$DBNAME"
+        printf "\$wgDBserver = '\''%s'\'';\n"           "$DBHOST"
-      check_line wgDBuser "$DBUSER"
+        printf "\$wgLanguageCode = '\''%s'\'';\n"       "$LANG"
-      check_line wgDBpassword "$DBPASS"
+      } >> "$tmp"
-      check_line wgDBserver "$DBHOST"
-      check_line wgLanguageCode "$LANG"
-
-      if [ "$need" -eq 1 ]; then
-        tmp="$(mktemp)"
-        # Remove any existing definitions for these keys
-        grep -Ev "^[[:space:]]*\$(wgServer|wgCanonicalServer|wgDBname|wgDBuser|wgDBpassword|wgDBserver|wgLanguageCode)[[:space:]]*=" "$LSP" > "$tmp" || true
-
-        {
-          printf "\n\$wgServer = '\''%s'\'';\n"           "$SERVER"
-          printf "\$wgCanonicalServer = '\''%s'\'';\n"    "$SERVER"
-          printf "\$wgDBname = '\''%s'\'';\n"             "$DBNAME"
-          printf "\$wgDBuser = '\''%s'\'';\n"             "$DBUSER"
-          printf "\$wgDBpassword = '\''%s'\'';\n"         "$DBPASS"
-          printf "\$wgDBserver = '\''%s'\'';\n"           "$DBHOST"
-          printf "\$wgLanguageCode = '\''%s'\'';\n"       "$LANG"
-        } >> "$tmp"
 
+      # 3) Idempotent write: only replace if content actually changed
+      if ! cmp -s "$LSP" "$tmp"; then
         cat "$tmp" > "$LSP"
-        rm -f "$tmp"
         echo CHANGED
       fi
     '

roles/web-app-mediawiki/templates/oidc.php.j2

@@ -3,11 +3,16 @@
 
 {% if MEDIAWIKI_OIDC_ENABLED | bool %}
 
+{% if 'web-svc-logout' in CURRENT_PLAY_APPLICATIONS %}
+# The cookie deletion of the logout app leads to a login bug if this isn't set
+$wgPasswordAttemptThrottle = [];
+{% endif %}
+
 wfLoadExtension( 'PluggableAuth' );
 wfLoadExtension( 'OpenIDConnect' );
 
-$wgPluggableAuth_EnableAutoLogin = true;
+$wgPluggableAuth_EnableAutoLogin = {{ MEDIAWIKI_OIDC_AUTOLOGIN | bool | ternary('true','false') }};
-$wgPluggableAuth_EnableLocalLogin = false;
+$wgPluggableAuth_EnableLocalLogin = {{ MEDIAWIKI_OIDC_LOCALLOGIN | bool | ternary('true','false') }};
 $wgPluggableAuth_ButtonLabel = '{{ MEDIAWIKI_OIDC_BUTTON_TEXT }}';
 
 $wgPluggableAuth_Config = [

roles/web-app-mediawiki/vars/main.yml

@@ -32,12 +32,14 @@ MEDIAWIKI_OIDC_CLIENT_ID:         "{{ OIDC.CLIENT.ID }}"
 MEDIAWIKI_OIDC_CLIENT_SECRET:     "{{ OIDC.CLIENT.SECRET }}"
 MEDIAWIKI_OIDC_ISSUER:            "{{ OIDC.CLIENT.ISSUER_URL }}"
 MEDIAWIKI_OIDC_BUTTON_TEXT:       "{{ OIDC.BUTTON_TEXT }}"
+MEDIAWIKI_OIDC_AUTOLOGIN:         true
+MEDIAWIKI_OIDC_LOCALLOGIN:        false
 
 # Extensions
 MEDIAWIKI_EXT_BRANCH:   "REL1_44"
-MEDIAWIKI_EXT_CFG_BASE: "{{ MEDIAWIKI_CONFIG_DIR }}/mwext/{{ MEDIAWIKI_EXT_BRANCH }}"
+MEDIAWIKI_EXT_CFG_BASE: "{{ [ MEDIAWIKI_CONFIG_DIR, 'mwext', MEDIAWIKI_EXT_BRANCH ] | path_join }}"
 MEDIAWIKI_EXT_LIST:
   - name: "PluggableAuth"
-    url: "https://codeload.github.com/wikimedia/mediawiki-extensions-PluggableAuth/tar.gz/refs/heads/{{ MEDIAWIKI_EXT_BRANCH }}"
+    url: "{{ [ 'https://codeload.github.com/wikimedia/mediawiki-extensions-PluggableAuth/tar.gz/refs/heads/',MEDIAWIKI_EXT_BRANCH ] | url_join }}"
   - name: "OpenIDConnect"
-    url: "https://codeload.github.com/wikimedia/mediawiki-extensions-OpenIDConnect/tar.gz/refs/heads/{{ MEDIAWIKI_EXT_BRANCH }}"
+    url: "{{ [ 'https://codeload.github.com/wikimedia/mediawiki-extensions-OpenIDConnect/tar.gz/refs/heads/',MEDIAWIKI_EXT_BRANCH ] | url_join }}"

roles/web-app-xwiki/templates/xwiki.properties.j2

@@ -32,8 +32,42 @@ distribution.defaultUI=org.xwiki.platform:xwiki-platform-distribution-flavor-mai
 distribution.skip=false
 distribution.wizard.enabled=true
 
+{% if MODE_DEBUG | bool %}
+# Root logger
 logging.rootLogger=DEBUG, console
 
+# XWiki OIDC extension
+logging.logger.org.xwiki.contrib.oidc=TRACE
+logging.logger.org.xwiki.contrib.oidc.internal=TRACE
+logging.logger.org.xwiki.contrib.oidc.provider=TRACE
+
+# OIDC extra (sometimes split in other packages)
+logging.logger.org.xwiki.contrib.oidc.auth=TRACE
+logging.logger.org.xwiki.contrib.oidc.client=TRACE
+
+# Tomcat internals (servlet and HTTP handling)
+logging.logger.org.apache.catalina.core=DEBUG
+logging.logger.org.apache.coyote.http11=DEBUG
+
+# Request/Resource handling
+logging.logger.org.xwiki.resource=TRACE
+logging.logger.org.xwiki.resource.internal=TRACE
+logging.logger.org.xwiki.container.servlet=DEBUG
+
+# Nimbus OIDC/OAuth + JOSE libraries
+logging.logger.com.nimbusds=DEBUG
+logging.logger.com.nimbusds.oauth2.sdk=DEBUG
+logging.logger.com.nimbusds.openid.connect.sdk=DEBUG
+logging.logger.com.nimbusds.jose=DEBUG
+
+# Apache HttpClient (used under the hood by Nimbus)
+logging.logger.org.apache.http=DEBUG
+logging.logger.org.apache.http.wire=DEBUG   # very verbose, raw request/response wire logs
+
+# Pac4j (if your build uses it)
+logging.logger.org.pac4j=DEBUG
+{% endif %}
+
 # Persist data in the Docker volume
 environment.permanentDirectory={{ XWIKI_DOCK_DATA_DIR }}