Changes for page OpenID Authentication with Keycloak
Last modified by Andrey Sytchev on 2023/08/24 08:22
Change comment:
Reformat completely to apply XWiki's doc practices
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Author
-
... ... @@ -1,1 +1,1 @@ 1 -xwiki:XWiki. jwielsch1 +xwiki:XWiki.VincentMassol - Content
-
... ... @@ -1,187 +1,166 @@ 1 -(% class="lead" %) 2 -Read [[https:~~/~~/extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/>>https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/||rel=" noopener noreferrer" target="_blank"]] first! 1 +{{info}} 2 +The steps below assume, that you have a working Keycloak installation and the clients can connect to XWiki and Keycloak. 3 +{{/info}} 3 3 4 -(% class="box infomessage" %) 5 -((( 6 -The steps below assume, that you have a working keycloak installation and the clients can connect to xwiki and keycloak. 7 -))) 5 +* Find ##xwiki.authentication.authclass## in ##xwiki.cfg## and comment it out with ###-### in the beginning. 6 +* Add below: ##xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl## 7 +* Save ##xwiki.cfg## 8 +* Open ##xwiki.properties## and adapt the following to your settings, and add this at the end of the file (Note the ##_~_XXX_~_## parts):((( 9 +{{code language='properties'}} 10 +oidc.xwikiprovider=https://__YOUR-WIKI-ADDRESS__/xwiki/oidc 11 +oidc.endpoint.authorization=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/auth 12 +oidc.endpoint.token=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/token 13 +oidc.endpoint.userinfo=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/userinfo 14 +oidc.scope=openid,profile,email,address 15 +oidc.endpoint.userinfo.method=GET 16 +oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase} 17 +oidc.user.subjectFormater=${oidc.user.subject} 18 +# oidc.groups.claim=xwiki_groups 19 +# oidc.groups.mapping=MyXWikiGroup=my-oidc-group 20 +# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2 21 +# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3 22 +# oidc.groups.allowed= 23 +# oidc.groups.forbidden= 24 +oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype 25 +# oidc.userinforefreshrate=600000 26 +oidc.clientid=__KEYCLOAK-CLIENT-ID__ 27 +oidc.secret=__KEYCLOAK-CLIENT-SECRET__ 28 +oidc.endpoint.token.auth_method=client_secret_basic 29 +oidc.skipped=false 30 +{{/code}} 8 8 9 -**First Step** 10 - 11 -Install the extension mentioned above. 12 - 13 -**Second Step** 14 - 15 -Find (% class="mark" %)##xwiki.authentication.authclass##(%%) in (% class="mark" %)##xwiki.cfg##(%%) and comment it out with (% class="mark" %)###-###(%%) in the beginning. add below: 16 - 17 -(% class="mark" %)##xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl## 18 - 19 -Save (% class="mark" %)##xwiki.cfg##(%%)##.## 20 - 21 -**Thrid Step** 22 - 23 -Open (% class="mark" %)##xwiki.properties##(%%). 24 - 25 -Adopt the following to your settings and add this at the end of the file. (Note the bold and undelined parts.) 26 - 27 - 28 -(% class="mark" %)## oidc.xwikiprovider=https:~/~/__**YOUR-WIKI-ADDRESS**__/xwiki/oidc 29 - oidc.endpoint.authorization=https:~/~/__**KEYCLOAK-ADDRESS**__/auth/realms/__**REALM**__/protocol/openid-connect/auth 30 - oidc.endpoint.token=https:~/~/**__KEYCLOAK-ADDRESS__**/auth/realms/__**REALM**__/protocol/openid-connect/token 31 - oidc.endpoint.userinfo=https:~/~/**__KEYCLOAK-ADDRESS__**/auth/realms/__**REALM**__/protocol/openid-connect/userinfo 32 - oidc.scope=openid,profile,email,address 33 - oidc.endpoint.userinfo.method=GET 34 - oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase} 35 - oidc.user.subjectFormater=${oidc.user.subject} 36 - # oidc.groups.claim=xwiki_groups 37 - # oidc.groups.mapping=MyXWikiGroup=my-oidc-group 38 - # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2 39 - # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3 40 - # oidc.groups.allowed= 41 - # oidc.groups.forbidden= 42 - oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype 43 - # oidc.userinforefreshrate=600000 44 - oidc.clientid=**__KEYCLOAK-CLIENT-ID__** 45 - oidc.secret=KEYCLOAK-CLIENT-SECRET 46 - oidc.endpoint.token.auth_method=client_secret_basic 47 - oidc.skipped=false## 48 - 49 - 50 -(% class="box infomessage" %) 51 -((( 52 -For futher configuration possibilites see [[https:~~/~~/extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#Hxwiki.properties>>url:https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#Hxwiki.properties]] 32 +{{info}} 33 +See [[futher configuration possibilites>>||anchor="Hxwiki.properties"]]. 34 +{{/info}} 53 53 ))) 36 +* Adapt the following to your settings and import it to Keycloak (Again: Note the ##_~_XXX_~_## parts):((( 37 +{{code language='json'}} 38 +{ 39 + "clientId": "__CLIENT-ID__", 40 + "name": "__CLIENT-NAME__", 41 + "rootUrl": "https://__YOUR-WIKI-URL__", 42 + "adminUrl": "https://__YOUR-WIKI-URL__", 43 + "baseUrl": "https://__YOUR-WIKI-URL__", 44 + "surrogateAuthRequired": false, 45 + "enabled": true, 46 + "alwaysDisplayInConsole": false, 47 + "clientAuthenticatorType": "client-secret", 48 + "redirectUris": [ 49 + "https://__YOUR-WIKI-URL__/*" 50 + ], 51 + "webOrigins": [ 52 + "https://__YOUR-WIKI-URL__" 53 + ], 54 + "notBefore": 0, 55 + "bearerOnly": false, 56 + "consentRequired": false, 57 + "standardFlowEnabled": true, 58 + "implicitFlowEnabled": true, 59 + "directAccessGrantsEnabled": true, 60 + "serviceAccountsEnabled": true, 61 + "authorizationServicesEnabled": true, 62 + "publicClient": false, 63 + "frontchannelLogout": false, 64 + "protocol": "openid-connect", 65 + "attributes": { 66 + "saml.assertion.signature": "false", 67 + "saml.force.post.binding": "false", 68 + "saml.multivalued.roles": "false", 69 + "saml.encrypt": "false", 70 + "saml.server.signature": "false", 71 + "saml.server.signature.keyinfo.ext": "false", 72 + "exclude.session.state.from.auth.response": "false", 73 + "saml_force_name_id_format": "false", 74 + "saml.client.signature": "false", 75 + "tls.client.certificate.bound.access.tokens": "false", 76 + "saml.authnstatement": "false", 77 + "display.on.consent.screen": "false", 78 + "saml.onetimeuse.condition": "false" 79 + }, 80 + "authenticationFlowBindingOverrides": {}, 81 + "fullScopeAllowed": false, 82 + "nodeReRegistrationTimeout": -1, 83 + "protocolMappers": [{ 84 + "name": "Client Host", 85 + "protocol": "openid-connect", 86 + "protocolMapper": "oidc-usersessionmodel-note-mapper", 87 + "consentRequired": false, 88 + "config": { 89 + "user.session.note": "clientHost", 90 + "id.token.claim": "true", 91 + "access.token.claim": "true", 92 + "claim.name": "clientHost", 93 + "jsonType.label": "String" 94 + } 95 + }, 96 + { 97 + "name": "Client IP Address", 98 + "protocol": "openid-connect", 99 + "protocolMapper": "oidc-usersessionmodel-note-mapper", 100 + "consentRequired": false, 101 + "config": { 102 + "user.session.note": "clientAddress", 103 + "id.token.claim": "true", 104 + "access.token.claim": "true", 105 + "claim.name": "clientAddress", 106 + "jsonType.label": "String" 107 + } 108 + }, 109 + { 110 + "name": "address", 111 + "protocol": "openid-connect", 112 + "protocolMapper": "oidc-address-mapper", 113 + "consentRequired": false, 114 + "config": { 115 + "user.attribute.formatted": "formatted", 116 + "user.attribute.country": "country", 117 + "user.attribute.postal_code": "postal_code", 118 + "userinfo.token.claim": "true", 119 + "user.attribute.street": "street", 120 + "id.token.claim": "true", 121 + "user.attribute.region": "region", 122 + "access.token.claim": "true", 123 + "user.attribute.locality": "locality" 124 + } 125 + }, 126 + { 127 + "name": "Client ID", 128 + "protocol": "openid-connect", 129 + "protocolMapper": "oidc-usersessionmodel-note-mapper", 130 + "consentRequired": false, 131 + "config": { 132 + "user.session.note": "clientId", 133 + "id.token.claim": "true", 134 + "access.token.claim": "true", 135 + "claim.name": "clientId", 136 + "jsonType.label": "String" 137 + } 138 + } 139 + ], 140 + "defaultClientScopes": [ 141 + "web-origins", 142 + "role_list", 143 + "roles", 144 + "profile", 145 + "email" 146 + ], 147 + "optionalClientScopes": [ 148 + "address", 149 + "phone", 150 + "offline_access", 151 + "microprofile-jwt" 152 + ], 153 + "access": { 154 + "view": true, 155 + "configure": true, 156 + "manage": true 157 + } 158 +} 159 +{{/code}} 160 +))) 54 54 55 -**Fourth Step** 56 -Adopt the following to your settings and import it to keycloak. (Again: Note the bold an underlined parts.) 162 +{{warning}} 163 +After importing this to Keycloak, you have to generate a new Client-Secret and put it into ##xwiki.properties## under ##oidc.secret=__KEYCLOAK-CLIENT-SECRET__##. 164 +Aim is: In the end, Client-ID and Client-Secret have to match on Keycloak and in ##xwiki.properties##. 165 +{{/warning}} 57 57 58 - 59 -(% class="mark" %)## { 60 - "clientId": "__**CLIENT-ID**__", 61 - "name": "__**CLIENT-NAME**__", 62 - "rootUrl": "https:~/~/__**YOUR-WIKI-URL**__", 63 - "adminUrl": "https:~/~/**__YOUR-WIKI-URL__**", 64 - "baseUrl": "https:~/~/**__YOUR-WIKI-URL__**", 65 - "surrogateAuthRequired": false, 66 - "enabled": true, 67 - "alwaysDisplayInConsole": false, 68 - "clientAuthenticatorType": "client-secret", 69 - "redirectUris": [ 70 - "https:~/~/__**YOUR-WIKI-URL**__/*" 71 - ], 72 - "webOrigins": [ 73 - "https:~/~/**__YOUR-WIKI-URL__**" 74 - ], 75 - "notBefore": 0, 76 - "bearerOnly": false, 77 - "consentRequired": false, 78 - "standardFlowEnabled": true, 79 - "implicitFlowEnabled": true, 80 - "directAccessGrantsEnabled": true, 81 - "serviceAccountsEnabled": true, 82 - "authorizationServicesEnabled": true, 83 - "publicClient": false, 84 - "frontchannelLogout": false, 85 - "protocol": "openid-connect", 86 - "attributes": { 87 - "saml.assertion.signature": "false", 88 - "saml.force.post.binding": "false", 89 - "saml.multivalued.roles": "false", 90 - "saml.encrypt": "false", 91 - "saml.server.signature": "false", 92 - "saml.server.signature.keyinfo.ext": "false", 93 - "exclude.session.state.from.auth.response": "false", 94 - "saml_force_name_id_format": "false", 95 - "saml.client.signature": "false", 96 - "tls.client.certificate.bound.access.tokens": "false", 97 - "saml.authnstatement": "false", 98 - "display.on.consent.screen": "false", 99 - "saml.onetimeuse.condition": "false" 100 - }, 101 - "authenticationFlowBindingOverrides": {}, 102 - "fullScopeAllowed": false, 103 - "nodeReRegistrationTimeout": -1, 104 - "protocolMappers": [ 105 - { 106 - "name": "Client Host", 107 - "protocol": "openid-connect", 108 - "protocolMapper": "oidc-usersessionmodel-note-mapper", 109 - "consentRequired": false, 110 - "config": { 111 - "user.session.note": "clientHost", 112 - "id.token.claim": "true", 113 - "access.token.claim": "true", 114 - "claim.name": "clientHost", 115 - "jsonType.label": "String" 116 - } 117 - }, 118 - { 119 - "name": "Client IP Address", 120 - "protocol": "openid-connect", 121 - "protocolMapper": "oidc-usersessionmodel-note-mapper", 122 - "consentRequired": false, 123 - "config": { 124 - "user.session.note": "clientAddress", 125 - "id.token.claim": "true", 126 - "access.token.claim": "true", 127 - "claim.name": "clientAddress", 128 - "jsonType.label": "String" 129 - } 130 - }, 131 - { 132 - "name": "address", 133 - "protocol": "openid-connect", 134 - "protocolMapper": "oidc-address-mapper", 135 - "consentRequired": false, 136 - "config": { 137 - "user.attribute.formatted": "formatted", 138 - "user.attribute.country": "country", 139 - "user.attribute.postal_code": "postal_code", 140 - "userinfo.token.claim": "true", 141 - "user.attribute.street": "street", 142 - "id.token.claim": "true", 143 - "user.attribute.region": "region", 144 - "access.token.claim": "true", 145 - "user.attribute.locality": "locality" 146 - } 147 - }, 148 - { 149 - "name": "Client ID", 150 - "protocol": "openid-connect", 151 - "protocolMapper": "oidc-usersessionmodel-note-mapper", 152 - "consentRequired": false, 153 - "config": { 154 - "user.session.note": "clientId", 155 - "id.token.claim": "true", 156 - "access.token.claim": "true", 157 - "claim.name": "clientId", 158 - "jsonType.label": "String" 159 - } 160 - } 161 - ], 162 - "defaultClientScopes": [ 163 - "web-origins", 164 - "role_list", 165 - "roles", 166 - "profile", 167 - "email" 168 - ], 169 - "optionalClientScopes": [ 170 - "address", 171 - "phone", 172 - "offline_access", 173 - "microprofile-jwt" 174 - ], 175 - "access": { 176 - "view": true, 177 - "configure": true, 178 - "manage": true 179 - } 180 - }## 181 - 182 - 183 -(% class="box warningmessage" %) 184 -((( 185 -**After importing this to Keycloak you have to generate a new Client-Secret and put it into xwiki.properties under "**(% class="mark" %)##oidc.secret=KEYCLOAK-CLIENT-SECRET"##(%%)**. 186 -\\Aim is: In the end, Client-ID and Client-Secret have to match on Keycloak and in xwiki.properties.** 187 -)))