Last modified by Andrey Sytchev on 2023/08/24 08:22

<
From version < 1.2 >
edited by Johannes Wielsch
on 2020/08/29 12:39
To version < 2.1 >
edited by Vincent Massol
on 2020/08/31 14:01
>
Change comment: Reformat completely to apply XWiki's doc practices

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -xwiki:XWiki.jwielsch
1 +xwiki:XWiki.VincentMassol
Content
... ... @@ -1,187 +1,166 @@
1 -(% class="lead" %)
2 -Read [[https:~~/~~/extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/>>https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/||rel=" noopener noreferrer" target="_blank"]] first!
1 +{{info}}
2 +The steps below assume, that you have a working Keycloak installation and the clients can connect to XWiki and Keycloak.
3 +{{/info}}
3 3  
4 -(% class="box infomessage" %)
5 -(((
6 -The steps below assume, that you have a working keycloak installation and the clients can connect to xwiki and keycloak.
7 -)))
5 +* Find ##xwiki.authentication.authclass## in ##xwiki.cfg## and comment it out with ###-### in the beginning.
6 +* Add below: ##xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl##
7 +* Save ##xwiki.cfg##
8 +* Open ##xwiki.properties## and adapt the following to your settings, and add this at the end of the file (Note the ##_~_XXX_~_## parts):(((
9 +{{code language='properties'}}
10 +oidc.xwikiprovider=https://__YOUR-WIKI-ADDRESS__/xwiki/oidc
11 +oidc.endpoint.authorization=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/auth
12 +oidc.endpoint.token=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/token
13 +oidc.endpoint.userinfo=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/userinfo
14 +oidc.scope=openid,profile,email,address
15 +oidc.endpoint.userinfo.method=GET
16 +oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
17 +oidc.user.subjectFormater=${oidc.user.subject}
18 +# oidc.groups.claim=xwiki_groups
19 +# oidc.groups.mapping=MyXWikiGroup=my-oidc-group
20 +# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
21 +# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
22 +# oidc.groups.allowed=
23 +# oidc.groups.forbidden=
24 +oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
25 +# oidc.userinforefreshrate=600000
26 +oidc.clientid=__KEYCLOAK-CLIENT-ID__
27 +oidc.secret=__KEYCLOAK-CLIENT-SECRET__
28 +oidc.endpoint.token.auth_method=client_secret_basic
29 +oidc.skipped=false
30 +{{/code}}
8 8  
9 -**First Step**
10 -
11 -Install the extension mentioned above.
12 -
13 -**Second Step**
14 -
15 -Find (% class="mark" %)##xwiki.authentication.authclass##(%%) in (% class="mark" %)##xwiki.cfg##(%%) and comment it out with (% class="mark" %)###-###(%%) in the beginning. add below:
16 -
17 -(% class="mark" %)##xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl##
18 -
19 -Save (% class="mark" %)##xwiki.cfg##(%%)##.##
20 -
21 -**Thrid Step**
22 -
23 -Open (% class="mark" %)##xwiki.properties##(%%).
24 -
25 -Adopt the following to your settings and add this at the end of the file. (Note the bold and undelined parts.)
26 -
27 -
28 -(% class="mark" %)## oidc.xwikiprovider=https:~/~/__**YOUR-WIKI-ADDRESS**__/xwiki/oidc
29 - oidc.endpoint.authorization=https:~/~/__**KEYCLOAK-ADDRESS**__/auth/realms/__**REALM**__/protocol/openid-connect/auth
30 - oidc.endpoint.token=https:~/~/**__KEYCLOAK-ADDRESS__**/auth/realms/__**REALM**__/protocol/openid-connect/token
31 - oidc.endpoint.userinfo=https:~/~/**__KEYCLOAK-ADDRESS__**/auth/realms/__**REALM**__/protocol/openid-connect/userinfo
32 - oidc.scope=openid,profile,email,address
33 - oidc.endpoint.userinfo.method=GET
34 - oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
35 - oidc.user.subjectFormater=${oidc.user.subject}
36 - # oidc.groups.claim=xwiki_groups
37 - # oidc.groups.mapping=MyXWikiGroup=my-oidc-group
38 - # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
39 - # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
40 - # oidc.groups.allowed=
41 - # oidc.groups.forbidden=
42 - oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
43 - # oidc.userinforefreshrate=600000
44 - oidc.clientid=**__KEYCLOAK-CLIENT-ID__**
45 - oidc.secret=KEYCLOAK-CLIENT-SECRET
46 - oidc.endpoint.token.auth_method=client_secret_basic
47 - oidc.skipped=false##
48 -
49 -
50 -(% class="box infomessage" %)
51 -(((
52 -For futher configuration possibilites see [[https:~~/~~/extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#Hxwiki.properties>>url:https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#Hxwiki.properties]]
32 +{{info}}
33 +See [[futher configuration possibilites>>||anchor="Hxwiki.properties"]].
34 +{{/info}}
53 53  )))
36 +* Adapt the following to your settings and import it to Keycloak (Again: Note the ##_~_XXX_~_## parts):(((
37 +{{code language='json'}}
38 +{
39 + "clientId": "__CLIENT-ID__",
40 + "name": "__CLIENT-NAME__",
41 + "rootUrl": "https://__YOUR-WIKI-URL__",
42 + "adminUrl": "https://__YOUR-WIKI-URL__",
43 + "baseUrl": "https://__YOUR-WIKI-URL__",
44 + "surrogateAuthRequired": false,
45 + "enabled": true,
46 + "alwaysDisplayInConsole": false,
47 + "clientAuthenticatorType": "client-secret",
48 + "redirectUris": [
49 + "https://__YOUR-WIKI-URL__/*"
50 + ],
51 + "webOrigins": [
52 + "https://__YOUR-WIKI-URL__"
53 + ],
54 + "notBefore": 0,
55 + "bearerOnly": false,
56 + "consentRequired": false,
57 + "standardFlowEnabled": true,
58 + "implicitFlowEnabled": true,
59 + "directAccessGrantsEnabled": true,
60 + "serviceAccountsEnabled": true,
61 + "authorizationServicesEnabled": true,
62 + "publicClient": false,
63 + "frontchannelLogout": false,
64 + "protocol": "openid-connect",
65 + "attributes": {
66 + "saml.assertion.signature": "false",
67 + "saml.force.post.binding": "false",
68 + "saml.multivalued.roles": "false",
69 + "saml.encrypt": "false",
70 + "saml.server.signature": "false",
71 + "saml.server.signature.keyinfo.ext": "false",
72 + "exclude.session.state.from.auth.response": "false",
73 + "saml_force_name_id_format": "false",
74 + "saml.client.signature": "false",
75 + "tls.client.certificate.bound.access.tokens": "false",
76 + "saml.authnstatement": "false",
77 + "display.on.consent.screen": "false",
78 + "saml.onetimeuse.condition": "false"
79 + },
80 + "authenticationFlowBindingOverrides": {},
81 + "fullScopeAllowed": false,
82 + "nodeReRegistrationTimeout": -1,
83 + "protocolMappers": [{
84 + "name": "Client Host",
85 + "protocol": "openid-connect",
86 + "protocolMapper": "oidc-usersessionmodel-note-mapper",
87 + "consentRequired": false,
88 + "config": {
89 + "user.session.note": "clientHost",
90 + "id.token.claim": "true",
91 + "access.token.claim": "true",
92 + "claim.name": "clientHost",
93 + "jsonType.label": "String"
94 + }
95 + },
96 + {
97 + "name": "Client IP Address",
98 + "protocol": "openid-connect",
99 + "protocolMapper": "oidc-usersessionmodel-note-mapper",
100 + "consentRequired": false,
101 + "config": {
102 + "user.session.note": "clientAddress",
103 + "id.token.claim": "true",
104 + "access.token.claim": "true",
105 + "claim.name": "clientAddress",
106 + "jsonType.label": "String"
107 + }
108 + },
109 + {
110 + "name": "address",
111 + "protocol": "openid-connect",
112 + "protocolMapper": "oidc-address-mapper",
113 + "consentRequired": false,
114 + "config": {
115 + "user.attribute.formatted": "formatted",
116 + "user.attribute.country": "country",
117 + "user.attribute.postal_code": "postal_code",
118 + "userinfo.token.claim": "true",
119 + "user.attribute.street": "street",
120 + "id.token.claim": "true",
121 + "user.attribute.region": "region",
122 + "access.token.claim": "true",
123 + "user.attribute.locality": "locality"
124 + }
125 + },
126 + {
127 + "name": "Client ID",
128 + "protocol": "openid-connect",
129 + "protocolMapper": "oidc-usersessionmodel-note-mapper",
130 + "consentRequired": false,
131 + "config": {
132 + "user.session.note": "clientId",
133 + "id.token.claim": "true",
134 + "access.token.claim": "true",
135 + "claim.name": "clientId",
136 + "jsonType.label": "String"
137 + }
138 + }
139 + ],
140 + "defaultClientScopes": [
141 + "web-origins",
142 + "role_list",
143 + "roles",
144 + "profile",
145 + "email"
146 + ],
147 + "optionalClientScopes": [
148 + "address",
149 + "phone",
150 + "offline_access",
151 + "microprofile-jwt"
152 + ],
153 + "access": {
154 + "view": true,
155 + "configure": true,
156 + "manage": true
157 + }
158 +}
159 +{{/code}}
160 +)))
54 54  
55 -**Fourth Step**
56 -Adopt the following to your settings and import it to keycloak. (Again: Note the bold an underlined parts.)
162 +{{warning}}
163 +After importing this to Keycloak, you have to generate a new Client-Secret and put it into ##xwiki.properties## under ##oidc.secret=__KEYCLOAK-CLIENT-SECRET__##.
164 +Aim is: In the end, Client-ID and Client-Secret have to match on Keycloak and in ##xwiki.properties##.
165 +{{/warning}}
57 57  
58 -
59 -(% class="mark" %)## {
60 - "clientId": "__**CLIENT-ID**__",
61 - "name": "__**CLIENT-NAME**__",
62 - "rootUrl": "https:~/~/__**YOUR-WIKI-URL**__",
63 - "adminUrl": "https:~/~/**__YOUR-WIKI-URL__**",
64 - "baseUrl": "https:~/~/**__YOUR-WIKI-URL__**",
65 - "surrogateAuthRequired": false,
66 - "enabled": true,
67 - "alwaysDisplayInConsole": false,
68 - "clientAuthenticatorType": "client-secret",
69 - "redirectUris": [
70 - "https:~/~/__**YOUR-WIKI-URL**__/*"
71 - ],
72 - "webOrigins": [
73 - "https:~/~/**__YOUR-WIKI-URL__**"
74 - ],
75 - "notBefore": 0,
76 - "bearerOnly": false,
77 - "consentRequired": false,
78 - "standardFlowEnabled": true,
79 - "implicitFlowEnabled": true,
80 - "directAccessGrantsEnabled": true,
81 - "serviceAccountsEnabled": true,
82 - "authorizationServicesEnabled": true,
83 - "publicClient": false,
84 - "frontchannelLogout": false,
85 - "protocol": "openid-connect",
86 - "attributes": {
87 - "saml.assertion.signature": "false",
88 - "saml.force.post.binding": "false",
89 - "saml.multivalued.roles": "false",
90 - "saml.encrypt": "false",
91 - "saml.server.signature": "false",
92 - "saml.server.signature.keyinfo.ext": "false",
93 - "exclude.session.state.from.auth.response": "false",
94 - "saml_force_name_id_format": "false",
95 - "saml.client.signature": "false",
96 - "tls.client.certificate.bound.access.tokens": "false",
97 - "saml.authnstatement": "false",
98 - "display.on.consent.screen": "false",
99 - "saml.onetimeuse.condition": "false"
100 - },
101 - "authenticationFlowBindingOverrides": {},
102 - "fullScopeAllowed": false,
103 - "nodeReRegistrationTimeout": -1,
104 - "protocolMappers": [
105 - {
106 - "name": "Client Host",
107 - "protocol": "openid-connect",
108 - "protocolMapper": "oidc-usersessionmodel-note-mapper",
109 - "consentRequired": false,
110 - "config": {
111 - "user.session.note": "clientHost",
112 - "id.token.claim": "true",
113 - "access.token.claim": "true",
114 - "claim.name": "clientHost",
115 - "jsonType.label": "String"
116 - }
117 - },
118 - {
119 - "name": "Client IP Address",
120 - "protocol": "openid-connect",
121 - "protocolMapper": "oidc-usersessionmodel-note-mapper",
122 - "consentRequired": false,
123 - "config": {
124 - "user.session.note": "clientAddress",
125 - "id.token.claim": "true",
126 - "access.token.claim": "true",
127 - "claim.name": "clientAddress",
128 - "jsonType.label": "String"
129 - }
130 - },
131 - {
132 - "name": "address",
133 - "protocol": "openid-connect",
134 - "protocolMapper": "oidc-address-mapper",
135 - "consentRequired": false,
136 - "config": {
137 - "user.attribute.formatted": "formatted",
138 - "user.attribute.country": "country",
139 - "user.attribute.postal_code": "postal_code",
140 - "userinfo.token.claim": "true",
141 - "user.attribute.street": "street",
142 - "id.token.claim": "true",
143 - "user.attribute.region": "region",
144 - "access.token.claim": "true",
145 - "user.attribute.locality": "locality"
146 - }
147 - },
148 - {
149 - "name": "Client ID",
150 - "protocol": "openid-connect",
151 - "protocolMapper": "oidc-usersessionmodel-note-mapper",
152 - "consentRequired": false,
153 - "config": {
154 - "user.session.note": "clientId",
155 - "id.token.claim": "true",
156 - "access.token.claim": "true",
157 - "claim.name": "clientId",
158 - "jsonType.label": "String"
159 - }
160 - }
161 - ],
162 - "defaultClientScopes": [
163 - "web-origins",
164 - "role_list",
165 - "roles",
166 - "profile",
167 - "email"
168 - ],
169 - "optionalClientScopes": [
170 - "address",
171 - "phone",
172 - "offline_access",
173 - "microprofile-jwt"
174 - ],
175 - "access": {
176 - "view": true,
177 - "configure": true,
178 - "manage": true
179 - }
180 - }##
181 -
182 -
183 -(% class="box warningmessage" %)
184 -(((
185 -**After importing this to Keycloak you have to generate a new Client-Secret and put it into xwiki.properties under "**(% class="mark" %)##oidc.secret=KEYCLOAK-CLIENT-SECRET"##(%%)**.
186 -\\Aim is: In the end, Client-ID and Client-Secret have to match on Keycloak and in xwiki.properties.**
187 -)))

Get Connected