OpenID Connect

Last modified by Thomas Mortagne on 2020/06/25 10:50

Various tools to manipulate OpenID Connect protocol in XWiki


This project has two main goals:

  1. make as easy as possible to use an XWiki instance as identity provider for another XWiki instance
  2. make XWiki support what is becoming the most standard identity protocol on Internet both as a provider for other applications and as a client of reference identity providers

License: GNU Lesser General Public License 2.1

OpenID Connect


OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.

See for a set of answers to Frequently Asked Questions about OpenID Connect.

This project is relying on Nimbus OAuth 2.0 SDK with OpenID Connect extensions for its implementation which among other things offers parsers and processors for OpenID Connect request/responses in Java.

The modules

Release Notes

All release notes


  • Closed OIDC-85 Send Logout for OIDC provider


  • Closed OIDC-87 The token endpoint might return the wrong audience


  • Closed OIDC-84 Upgrade of OpenID Connect Authenticator 1.19 to 1.20 fails


  • Closed OIDC-82 Upgrade to nimbus-jose-jwt 8.15
  • Closed OIDC-81 Support custom JSON field for group list


  • Closed OIDC-80 Upgrade to nimbus-jose-jwt 8.12
  • Closed OIDC-79 OpenID Connect Authenticator - variable name instead of empty value


  • Closed OIDC-78 Upgrade to oauth2-oidc-sdk 7.3 and nimbus-jose-jwt 8.10


  • Closed OIDC-77 Allow providing a custom mapping for the user properties
  • Closed OIDC-50 Make the entire OIDC JSON available in variables


  • Closed OIDC-76 Upgrade to oauth2-oidc-sdk 6.23 and nimbus-jose-jwt 8.6


  • Closed OIDC-74 Make the scope configurable in the authenticator


  • Closed OIDC-70 Upgrade to nimbus-jose-jwt 5.14
  • Closed OIDC-69 Upgrade to oauth2-oidc-sdk 5.64.2
  • Closed OIDC-41 Salt the stored token
  • Closed OIDC-22 Allow accessing any resource using access token


  • Closed OIDC-67 Possible java.lang.ClassCastException when upgrading authenticator or anothe extension on the same namespace


  • Closed OIDC-66 Force group synchronization when group claim is sent even if no value is sent back


  • Closed OIDC-65 OIDC Authenticator compatibility with LemonLDAP OpenIDC provider
  • Closed OIDC-64 Add Support for POST method for userinfo endpoint
  • Closed OIDC-46 Add support for client authentication


  • Closed OIDC-63 The provider should return the user profile page name as "preferred user name" when no claim is sent


  • Closed OIDC-62 XWiki group sync does not fully support mapped group without the "XWiki." prefix
  • Closed OIDC-61 Allowed groups logic is wrong when there is several groups


  • Closed OIDC-60 Allow configuring the rate at which user informations are refreshed


  • Closed OIDC-58 Make posssible to configure the value stored as unique identifier
  • Closed OIDC-57 Add .lowerCase and .upperCase support to name pattern
  • Closed OIDC-56 The provider should return the user profile page name as "preferred user name"


  • Closed OIDC-55 Make groups claim name configurable
  • Closed OIDC-54 Allow filtering users allowed to authenticate depending on the groups they belong to
  • Closed OIDC-53 Add support for group synchronization mapping


  • Closed OIDC-52 Group synchronization does not work with an XWiki provider


  • Closed OIDC-51 Add support for group membership synchronization


  • Closed OIDC-48 Authenticator and provider default templates are not loaded anymore


  • Closed OIDC-47 Upgrade to XWiki 8.4.x
  • Closed OIDC-35 Upgrade to oauth2-oidc-sdk 5.44


  • Closed OIDC-45 Possible NullPointerException when the provider send user info without any email
  • Closed OIDC-44 oidc.user.nameFormater configuration is not taken into account


  • Closed OIDC-43 Provider sometime find consent coming from a different user


  • Closed OIDC-42 OpenID Connect clients might be wrongly recognized as simple OAuth2 clients


  • Closed OIDC-40 No mail information sent with OAuth2 client


  • Closed OIDC-39 Add support for OAuth 2 in the provider


  • Closed OIDC-37 Remove the workaround for XWIKI-13456
Created by Thomas Mortagne on 2016/06/03 16:45

Get Connected