computer-playbook/roles/web-app-mediawiki/templates/oidc.php.j2

<?php
// ### OIDC (PluggableAuth) – BEGIN (managed by Ansible)

{% if MEDIAWIKI_OIDC_ENABLED | bool %}

{% if 'web-svc-logout' in CURRENT_PLAY_APPLICATIONS %}
# The cookie deletion of the logout app leads to a login bug if this isn't set
$wgPasswordAttemptThrottle = [];
{% endif %}

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_EnableAutoLogin = {{ MEDIAWIKI_OIDC_AUTOLOGIN | bool | ternary('true','false') }};
$wgPluggableAuth_EnableLocalLogin = {{ MEDIAWIKI_OIDC_LOCALLOGIN | bool | ternary('true','false') }};
$wgPluggableAuth_ButtonLabel = '{{ MEDIAWIKI_OIDC_BUTTON_TEXT }}';

$wgPluggableAuth_Config = [
    [
        'plugin' => 'OpenIDConnect',
        'data' => [
            'providerURL'  => '{{ MEDIAWIKI_OIDC_ISSUER }}',
            'clientID'     => '{{ MEDIAWIKI_OIDC_CLIENT_ID }}',
            'clientsecret' => '{{ MEDIAWIKI_OIDC_CLIENT_SECRET }}',
            'scope'        => [ 'openid', 'profile', 'email' ],
        ],
    ],
];

$wgOpenIDConnect_UseEmailNameAsUserName = true;
$wgOpenIDConnect_MigrateUsers = true;
// ### OIDC (PluggableAuth) – END

{% endif %}