Show last authors
1 {{info}}
2 The steps below assume, that you have a working Keycloak installation and the clients can connect to XWiki and Keycloak.
3 {{/info}}
4
5 {{info}}
6 You can find a little step by step documentation for [[mapping ldap groups to keycloak and push them to xwiki>>Extension.OpenID Connect.OpenID Connect Authenticator.OpenID Authentication with Keycloak.Keycloak Group-Mapping.WebHome]].
7 {{/info}}
8
9 Follow these steps:
10 * Find ##xwiki.authentication.authclass## in ##xwiki.cfg## and comment it out with ###-### in the beginning.
11 * Add below: ##xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl##
12 * Open ##xwiki.properties## and adapt the following to your settings, and add this at the end of the file (Note the ##_~_XXX_~_## parts):(((
13 {{code language='properties'}}
14 oidc.xwikiprovider=https://__YOUR-WIKI-ADDRESS__/xwiki/oidc
15 oidc.endpoint.authorization=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/auth
16 oidc.endpoint.token=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/token
17 oidc.endpoint.userinfo=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/userinfo
18 oidc.scope=openid,profile,email,address
19 oidc.endpoint.userinfo.method=GET
20 oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
21 oidc.user.subjectFormater=${oidc.user.subject}
22 # oidc.groups.claim=xwiki_groups
23 # oidc.groups.mapping=MyXWikiGroup=my-oidc-group
24 # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
25 # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
26 # oidc.groups.allowed=
27 # oidc.groups.forbidden=
28 oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
29 # oidc.userinforefreshrate=600000
30 oidc.clientid=__KEYCLOAK-CLIENT-ID__
31 oidc.secret=__KEYCLOAK-CLIENT-SECRET__
32 oidc.endpoint.token.auth_method=client_secret_basic
33 oidc.skipped=false
34 {{/code}}
35
36 {{info}}
37 See [[futher configuration possibilites>>Extension.OpenID Connect.OpenID Connect Authenticator.WebHome||anchor="Hxwiki.properties"]].
38 {{/info}}
39 )))
40 * Adapt the following to your settings and import it to Keycloak (Again: Note the ##_~_XXX_~_## parts):(((
41 {{code language='json'}}
42 {
43 "clientId": "__CLIENT-ID__",
44 "name": "__CLIENT-NAME__",
45 "rootUrl": "https://__YOUR-WIKI-URL__",
46 "adminUrl": "https://__YOUR-WIKI-URL__",
47 "baseUrl": "https://__YOUR-WIKI-URL__",
48 "surrogateAuthRequired": false,
49 "enabled": true,
50 "alwaysDisplayInConsole": false,
51 "clientAuthenticatorType": "client-secret",
52 "redirectUris": [
53 "https://__YOUR-WIKI-URL__/*"
54 ],
55 "webOrigins": [
56 "https://__YOUR-WIKI-URL__"
57 ],
58 "notBefore": 0,
59 "bearerOnly": false,
60 "consentRequired": false,
61 "standardFlowEnabled": true,
62 "implicitFlowEnabled": true,
63 "directAccessGrantsEnabled": true,
64 "serviceAccountsEnabled": true,
65 "authorizationServicesEnabled": true,
66 "publicClient": false,
67 "frontchannelLogout": false,
68 "protocol": "openid-connect",
69 "attributes": {
70 "saml.assertion.signature": "false",
71 "saml.force.post.binding": "false",
72 "saml.multivalued.roles": "false",
73 "saml.encrypt": "false",
74 "saml.server.signature": "false",
75 "saml.server.signature.keyinfo.ext": "false",
76 "exclude.session.state.from.auth.response": "false",
77 "saml_force_name_id_format": "false",
78 "saml.client.signature": "false",
79 "tls.client.certificate.bound.access.tokens": "false",
80 "saml.authnstatement": "false",
81 "display.on.consent.screen": "false",
82 "saml.onetimeuse.condition": "false"
83 },
84 "authenticationFlowBindingOverrides": {},
85 "fullScopeAllowed": false,
86 "nodeReRegistrationTimeout": -1,
87 "protocolMappers": [{
88 "name": "Client Host",
89 "protocol": "openid-connect",
90 "protocolMapper": "oidc-usersessionmodel-note-mapper",
91 "consentRequired": false,
92 "config": {
93 "user.session.note": "clientHost",
94 "id.token.claim": "true",
95 "access.token.claim": "true",
96 "claim.name": "clientHost",
97 "jsonType.label": "String"
98 }
99 },
100 {
101 "name": "Client IP Address",
102 "protocol": "openid-connect",
103 "protocolMapper": "oidc-usersessionmodel-note-mapper",
104 "consentRequired": false,
105 "config": {
106 "user.session.note": "clientAddress",
107 "id.token.claim": "true",
108 "access.token.claim": "true",
109 "claim.name": "clientAddress",
110 "jsonType.label": "String"
111 }
112 },
113 {
114 "name": "address",
115 "protocol": "openid-connect",
116 "protocolMapper": "oidc-address-mapper",
117 "consentRequired": false,
118 "config": {
119 "user.attribute.formatted": "formatted",
120 "user.attribute.country": "country",
121 "user.attribute.postal_code": "postal_code",
122 "userinfo.token.claim": "true",
123 "user.attribute.street": "street",
124 "id.token.claim": "true",
125 "user.attribute.region": "region",
126 "access.token.claim": "true",
127 "user.attribute.locality": "locality"
128 }
129 },
130 {
131 "name": "Client ID",
132 "protocol": "openid-connect",
133 "protocolMapper": "oidc-usersessionmodel-note-mapper",
134 "consentRequired": false,
135 "config": {
136 "user.session.note": "clientId",
137 "id.token.claim": "true",
138 "access.token.claim": "true",
139 "claim.name": "clientId",
140 "jsonType.label": "String"
141 }
142 }
143 ],
144 "defaultClientScopes": [
145 "web-origins",
146 "role_list",
147 "roles",
148 "profile",
149 "email"
150 ],
151 "optionalClientScopes": [
152 "address",
153 "phone",
154 "offline_access",
155 "microprofile-jwt"
156 ],
157 "access": {
158 "view": true,
159 "configure": true,
160 "manage": true
161 }
162 }
163 {{/code}}
164 )))
165
166 {{warning}}
167 After importing this to Keycloak, you have to generate a new Client-Secret and put it into ##xwiki.properties## under ##oidc.secret=_~_KEYCLOAK-CLIENT-SECRET_~_##.
168 Aim is: In the end, Client-ID and Client-Secret have to match on Keycloak and in ##xwiki.properties##.
169 {{/warning}}

Get Connected