OpenID Authentication with Google Cloud

This document presents a configuration guide for the XWiki OpenIDC authenticator with Google Cloud as OIDC provider.

• • Google Cloud configuration
    • 1. Create a project
    • 2. Create an application
    • 3. Create an OAuth Client
  • XWiki Configuration (minimalist)
    • Remarks

Google Cloud configuration

First, you need to create an OAuth Client on Google Cloud Console. Follow the procedure below.

1. Create a project

• Connect to your google cloud account
• Open the Google Cloud Console home page (https://console.cloud.google.com/)
• Click on the "Create a Project" button (or access directly the project creation form on https://console.cloud.google.com/projectcreate).
• On the project creation form fill the project name and the select the organization.
• 
• 

2. Create an application

• Once the project created, go back to Google Cloud Console home page (https://console.cloud.google.com/) and open the project configuration page.
• 
• 
• On "APIs and Services" menu, select "OAuth consent screen".
• 
• Click on "Get started".
• 
• Fill the application creation form.
• 
• Select the Application Audience
• 
• Click next, fill "Contact Information" email, agree "Google API Services: User Data Policy.", and click on create button.
• 

3. Create an OAuth Client

• Once the application created, click on the "Create OAuth client" button
• Fill the form as follows :
  • Applicaiton type : Web application
  • Name : XWiki OIDC Authenticator Client (for example)
  • Authorized redirect URIs : https://<YOUR XWIKI URL>/xwiki/oidc/authenticator/callback
    (Ex : for local XWiki instance : http://localhost:8080/xwiki/oidc/authenticator/callback)
• Click on the create button de finalise the creation of the OAuth Client. The OAuth Client provides a Client ID and a Client secret which are the credentials needed to configure the XWiki OIDC Authenticator.
• 
• 
• The client ID can always be accessed from Clients tab under Google Auth Platform.
• 
• 

XWiki Configuration (minimalist)

First the OpenIDC Authenticator must be enabled in WEB-INF/xwiki.cfg:

xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl

And configured in WEB-INF/xwiki.properties. Here are the properties to configure:

oidc.endpoint.authorization=https://accounts.google.com/o/oauth2/v2/auth
oidc.endpoint.token=https://oauth2.googleapis.com/token
oidc.endpoint.userinfo=https://openidconnect.googleapis.com/v1/userinfo
oidc.endpoint.logout=https://accounts.google.com/Logout
oidc.clientid=${google OAuth Client ID}
oidc.secret=${google OAuth Client secret}
oidc.user.nameFormater=${oidc.user.preferredUsername._clean}
oidc.userinfoclaims=

Remarks

• Note that Google Cloud OIDC endpoints are generic URLs that are the same for all OIDC configurations. The endpoints could be found on https://accounts.google.com/.well-known/openid-configuration.
• "oidc.userinfoclaims" configuration should be set with empty value to prevent error : "Error 400: Invalid_request - Invalid parameter value for claims: Invalid claims: claims must have a single object value "id_token"". See forum discussion.