Comments on OpenID Authentication with Keycloak
Last modified by Andrey Sytchev on 2023/08/24 08:22
- Manage
- Copy
- Actions
- Export
- Print Preview
- Viewers
- Source
- Children
- Content
- Attachments
- History
- Information
- Likes
Export
Choose the export format from the list below:
$services.rendering.render($uix.execute(), 'html/5.0')
- Office Formats (1)
-
Export as Portable Document Format (PDF) using the Web Browser
-
- Other Formats (1)
-
Export as HyperText Markup Language (HTML)
-
Export as
Select the pages to export:
- Legend:
- Created Page
- Modified Extension Page
- Clean Extension Page
I did this. But what is my xwiki url for the redirection?
I tried: https://mywiki/xwiki/oidc but I receive a page that this page is not available.
How do I start the redirect process to the keycloak? The login dialog did not change and shows me still the login form.
Now, I am a step further :-)
For the import in keycloak I had to remove the line
"alwaysDisplayInConsole": false
then the import was possible.
In xwiki.properties I changed this:
oidc.endpoint.token.auth_method=client_secret_basic
to this
oidc.endpoint.token.auth_method=client_secret_post
Then the integration with keycloak works. But I have no idea how I setup the user roles/groups. At the moment all users have only the group "XWikiAllGroup". But I need at leastsome administrators.
What must be configure in the user roles/groups in keycloak?
One more thing I had to configure. In xwiki.cfg I configure this line:
xwiki.home=https://MYWIKIDOMAIN/
without this, the redirect url pointed to http://localhost:8080/..... and the call failed on the keycloak server.
Thanks for the hint with xwiki.home! I had the same issue that a port 80 (:80) was added to my redirect_uri before (even though https-only) I had changed this...
Have you figured out how to work out roles/groups to have user/admin roles?
I have figured it out: the way I have solved this: In Keycloak -> xwiki Client using a Mapper, User Realm Role, with claim xwiki_goups adds a node xwiki_goups to the access token JSON. It appears that all roles of the user (e.g. assigned trough a group in Keycloak) are added as a group in Xwiki and the user added to the Xwiki groups. The Scoper (within client) settings can be used to filter out any roles that are not to appear as XWiki groups...
Greetings
From KC I see that authorization passes. At the same time, the user is redirected to an error page in which Tomcat swears at Proxy, but I do not use Proxy. xwiki installed on Ubuntu, Catalina, Tomcat9