Various tools to manipulate OpenID Connect protocol in XWiki

Description

This extension enables getting and manipulating OAuth2 tokens. It relies under the hood on the OpenID Connect Authenticator to manage its configuration.

Configuration

To configure a new service from which the client should fetch OAuth2 tokens, you will need to create a dedicated XWiki.OIDC.ClientConfigurationClass as described in the OpenID Connect Authenticator configuration.

In case the configuration you are creating should not be used for authenticating users, make sure to set the option "Is authentication skipped ?" to 1.

You will then need to indicate where OAuth2 tokens should be stored, through the property "Store tokens" :

Property value	Description
NONE	Do not store any token
USER	Store tokens in the user profile
WIKI	Store tokens at the wiki level Warning Note that tokens stored at wiki level will be accessible by any user with read access to the wiki. Storing tokens at wiki level is generally not recommended, but can be used in case you want to allow wiki users to have access to a third-party service without them having an account on such service.

Usage

The script service $services.oauth2client allows you access tokens stored for a given OIDC Client Configuration, and to authorize an application by starting an OAuth2 authorization flow.

Authorizing an application

{{velocity}}
#set($configName = "myconfiguration")

#if ($services.oauth2client.getAccessToken($configName))
  ## Do something with the token
#else
  #set($redirectURI = "https://xxxx")
  $services.oauth2client.authorize($configName, $redirectURI)
#end
{{/velocity}}

Renewing an access token

Access token are usually issued with a lifetime, and thus need to be renewed when they expire, by either :

• Performing a new OAuth2 grant dance with the provider : redirecting the user to the provider, and then have the user be redirected back to XWiki to store the new access token
• Using a refresh token provided at the same time as the last access token, to generate a new access token with a longer lifetime

OAuth2 Client 2.17.0+ At user login, XWiki will automatically attempt to renew tokens stored in the profile of this user that are close to expiry.

There is currently no way to renew a token directly through a script service, however, it is possible to force the renewal using this code :

{{velocity}}
#set($configName = "myconfiguration")
#set($manager = $services.component.getComponentManager().getInstance('org.xwiki.contrib.oidc.OAuth2ClientManager'))
#set($clientConfigStore = $services.component.getComponentManager().getInstance('org.xwiki.contrib.oidc.auth.store.OIDCClientConfigurationStore'))

#if ($services.oauth2client.getAccessToken($configName))
  #set($config = $clientConfigStore.getOIDCClientConfiguration($configName))
  #set($job = $manager.renew($config, true))
#else
  #set($redirectURI = $doc.getURL())
  $services.oauth2client.authorize($configName, $redirectURI)
#end
{{/velocity}}

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.

Versions

Dependencies

Dependencies for this extension (org.xwiki.contrib.oidc:oauth2-client 2.22.1):

• org.xwiki.contrib.oidc:oidc-authenticator 2.22.1