Show last authors
1 {{info}}
2 The steps below assume, that you have a working Keycloak installation and the clients can connect to XWiki and Keycloak.
3 {{/info}}
4
5 * Find ##xwiki.authentication.authclass## in ##xwiki.cfg## and comment it out with ###-### in the beginning.
6 * Add below: ##xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl##
7 * Save ##xwiki.cfg##
8 * Open ##xwiki.properties## and adapt the following to your settings, and add this at the end of the file (Note the ##_~_XXX_~_## parts):(((
9 {{code language='properties'}}
10 oidc.xwikiprovider=https://__YOUR-WIKI-ADDRESS__/xwiki/oidc
11 oidc.endpoint.authorization=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/auth
12 oidc.endpoint.token=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/token
13 oidc.endpoint.userinfo=https://__KEYCLOAK-ADDRESS__/auth/realms/__REALM__/protocol/openid-connect/userinfo
14 oidc.scope=openid,profile,email,address
15 oidc.endpoint.userinfo.method=GET
16 oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
17 oidc.user.subjectFormater=${oidc.user.subject}
18 # oidc.groups.claim=xwiki_groups
19 # oidc.groups.mapping=MyXWikiGroup=my-oidc-group
20 # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
21 # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
22 # oidc.groups.allowed=
23 # oidc.groups.forbidden=
24 oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
25 # oidc.userinforefreshrate=600000
26 oidc.clientid=__KEYCLOAK-CLIENT-ID__
27 oidc.secret=__KEYCLOAK-CLIENT-SECRET__
28 oidc.endpoint.token.auth_method=client_secret_basic
29 oidc.skipped=false
30 {{/code}}
31
32 {{info}}
33 See [[futher configuration possibilites>>||anchor="Hxwiki.properties"]].
34 {{/info}}
35 )))
36 * Adapt the following to your settings and import it to Keycloak (Again: Note the ##_~_XXX_~_## parts):(((
37 {{code language='json'}}
38 {
39 "clientId": "__CLIENT-ID__",
40 "name": "__CLIENT-NAME__",
41 "rootUrl": "https://__YOUR-WIKI-URL__",
42 "adminUrl": "https://__YOUR-WIKI-URL__",
43 "baseUrl": "https://__YOUR-WIKI-URL__",
44 "surrogateAuthRequired": false,
45 "enabled": true,
46 "alwaysDisplayInConsole": false,
47 "clientAuthenticatorType": "client-secret",
48 "redirectUris": [
49 "https://__YOUR-WIKI-URL__/*"
50 ],
51 "webOrigins": [
52 "https://__YOUR-WIKI-URL__"
53 ],
54 "notBefore": 0,
55 "bearerOnly": false,
56 "consentRequired": false,
57 "standardFlowEnabled": true,
58 "implicitFlowEnabled": true,
59 "directAccessGrantsEnabled": true,
60 "serviceAccountsEnabled": true,
61 "authorizationServicesEnabled": true,
62 "publicClient": false,
63 "frontchannelLogout": false,
64 "protocol": "openid-connect",
65 "attributes": {
66 "saml.assertion.signature": "false",
67 "saml.force.post.binding": "false",
68 "saml.multivalued.roles": "false",
69 "saml.encrypt": "false",
70 "saml.server.signature": "false",
71 "saml.server.signature.keyinfo.ext": "false",
72 "exclude.session.state.from.auth.response": "false",
73 "saml_force_name_id_format": "false",
74 "saml.client.signature": "false",
75 "tls.client.certificate.bound.access.tokens": "false",
76 "saml.authnstatement": "false",
77 "display.on.consent.screen": "false",
78 "saml.onetimeuse.condition": "false"
79 },
80 "authenticationFlowBindingOverrides": {},
81 "fullScopeAllowed": false,
82 "nodeReRegistrationTimeout": -1,
83 "protocolMappers": [{
84 "name": "Client Host",
85 "protocol": "openid-connect",
86 "protocolMapper": "oidc-usersessionmodel-note-mapper",
87 "consentRequired": false,
88 "config": {
89 "user.session.note": "clientHost",
90 "id.token.claim": "true",
91 "access.token.claim": "true",
92 "claim.name": "clientHost",
93 "jsonType.label": "String"
94 }
95 },
96 {
97 "name": "Client IP Address",
98 "protocol": "openid-connect",
99 "protocolMapper": "oidc-usersessionmodel-note-mapper",
100 "consentRequired": false,
101 "config": {
102 "user.session.note": "clientAddress",
103 "id.token.claim": "true",
104 "access.token.claim": "true",
105 "claim.name": "clientAddress",
106 "jsonType.label": "String"
107 }
108 },
109 {
110 "name": "address",
111 "protocol": "openid-connect",
112 "protocolMapper": "oidc-address-mapper",
113 "consentRequired": false,
114 "config": {
115 "user.attribute.formatted": "formatted",
116 "user.attribute.country": "country",
117 "user.attribute.postal_code": "postal_code",
118 "userinfo.token.claim": "true",
119 "user.attribute.street": "street",
120 "id.token.claim": "true",
121 "user.attribute.region": "region",
122 "access.token.claim": "true",
123 "user.attribute.locality": "locality"
124 }
125 },
126 {
127 "name": "Client ID",
128 "protocol": "openid-connect",
129 "protocolMapper": "oidc-usersessionmodel-note-mapper",
130 "consentRequired": false,
131 "config": {
132 "user.session.note": "clientId",
133 "id.token.claim": "true",
134 "access.token.claim": "true",
135 "claim.name": "clientId",
136 "jsonType.label": "String"
137 }
138 }
139 ],
140 "defaultClientScopes": [
141 "web-origins",
142 "role_list",
143 "roles",
144 "profile",
145 "email"
146 ],
147 "optionalClientScopes": [
148 "address",
149 "phone",
150 "offline_access",
151 "microprofile-jwt"
152 ],
153 "access": {
154 "view": true,
155 "configure": true,
156 "manage": true
157 }
158 }
159 {{/code}}
160 )))
161
162 {{warning}}
163 After importing this to Keycloak, you have to generate a new Client-Secret and put it into ##xwiki.properties## under ##oidc.secret=_~_KEYCLOAK-CLIENT-SECRET_~_##.
164 Aim is: In the end, Client-ID and Client-Secret have to match on Keycloak and in ##xwiki.properties##.
165 {{/warning}}

Get Connected