Token-based authentication for the LLM Application (BETA)

Last modified by Michael Hamann on 2024/05/24 14:20

cogToken-based authenticator for the LLM Application to authenticate external users.
Developed by

Matéo Munoz, Ludovic Dubost, Michael Hamann, Paul Pantiru

0 Votes
LicenseGNU Lesser General Public License 2.1

16.2.0 and above

Installable with the Extension Manager


This extension provides a way for external applications that, e.g., embed the chat provided by the LLM Application to authenticate users with signed JSON Web Tokens (JWT). Users are directly created or updated based on the information provided in the token. There is currently no support for using a token as authentication for an existing user that hasn't been created through this authenticator. The authenticator supports authenticating users from several applications that are mapped to distinct user accounts. When no token is present in the request, the authenticator falls back on a configurable authenticator and it should thus be able to combine this token authenticator with any other authenticator.


You can enable this token authenticator by setting the xwiki.authentication.authclass property in xwiki.cfg file to org.xwiki.contrib.llm.authentication.JWTTokenAuth. Alternatively, you can select the "JWT Token Authenticator for the LLM AI Application" in the authentication configuration.

When there is no token in the request (see below), the authenticator falls back to the default authenticator. You can set the llm.authentication.jwt.authenticator property in xwiki.cfg file to the authenticator that shall be used as fallback instead of the default authenticator.

Authorized Applications Configuration

The extension adds a new "Authorized Applications" entry to the "Applications" list (see top left of the following screenshot). It allows managing which applications are allowed to generate tokens for the use with this authenticator.

Screenshot of the main screen of the Authorized Applications application, showing the entries list with one entry

By clicking on "Add new entry", you can add a new authorized application. You can configure the following properties:

  • Title - the title of the application, this is just for display purposes
  • URL - the URL of the application. This is the identifier of the application and must match the "issuer" field in the generated tokens (see below)
  • The public key - this must be an Ed25519 public key in PEM format that corresponds to the private key that is used for signing the tokens (see below)
  • Group format - the format for the groups. To avoid that external applications create users with groups like XWikiAdminGroup that would grant admin right on the wiki, it is highly recommended to configure a unique prefix and possibly also suffix, e.g., by using "Example${group}Group" where ${group} will be replaced by the group name that is provided in the token.

Screenshot of an authorized application entry

Token Generation

This authenticator expects a JWT token that is signed with an Ed25519 key. A suitable signing key can, e.g., be generated using the OpenSSL command line utility and the following two commands:

openssl genpkey -algorithm ed25519 -outform PEM -out private.pem
openssl pkey -in private.pem -pubout -outform PEM -out public.pem

The files "private.pem" and "public.pem" then contain the private and public key in PEM format, respectively.

The JWT token needs to contain the following claims:

  • "exp": the expiration time, must be in the future but not more than 24 hours in the future
  • "iss": the issuer, corresponding to the URL property configured in the authorized applications
  • "sub": the subject, used for deriving the username
  • "aud": the audience, must contain the URL of the XWiki installation in the form without path. Both a single string and an array of strings are supported. If the expected URL isn't passed, an error is logged with the expected URL.


  • "given_name": used to set the first name field of the user profile
  • "family_name": used to set the last name field of the user profile
  • "email": used to set the email field of the user profile
  • "groups": a list of groups (as list of strings). Used to set the groups of the user.
  • "iat": issued at, the time when the token was issued. Tokens older than 24 hours and tokens issued in the future aren't accepted.
  • "nbf": not before, the token is rejected if this time is in the future.

The token needs to be present in the "Authorization" header in the form "Bearer TOKEN" where TOKEN is the signed JWT token as described above.

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the following manual method, which is useful if this extension cannot be installed with the Extension Manager or if you're using an old version of XWiki that doesn't have the Extension Manager:

  1. Log in the wiki with a user having Administration rights
  2. Go to the Administration page and select the Import category
  3. Follow the on-screen instructions to upload the downloaded XAR
  4. Click on the uploaded XAR and follow the instructions
  5. You'll also need to install all dependent Extensions that are not already installed in your wiki


Dependencies for this extension (org.xwiki.contrib.llm:application-ai-llm-authentication-ui 0.3.1):

  • org.xwiki.contrib.llm:application-ai-llm-authentication-api 0.3.1

Get Connected