openid_connect_16x16.pngAllow XWiki to act as an OpenID Connect provider
Recommended
TypeJAR
Category
Developed by

Thomas Mortagne

Active Installs259
Rating
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager

Description

Allow XWiki to act as an OpenID Connect provider.

See also OpenID Connect Authenticator.

oidc_provider_consent.png

Release notes can be found on OpenID Connect project page.

Token-based access

In order to let a client access any resource just using an OpenID Connect access token you need to setup (in xwiki.cfg configuration file) a special authenticator in XWiki which will act as a bridge to authenticate the user if a token is found in the request or fallback to the "real" authenticator.

xwiki.authentication.authclass=org.xwiki.contrib.oidc.provider.OIDCBridgeAuth

Endpoints

Provider metadata

path: /oidc/

Authorization

path: /oidc/authorization

The entry point to authenticate a user and authorize the client to access the provider.

Supported methods:

Token

path: /oidc/token

Supported grand types:

  • authorization_code: generate an access token from the authorization code provided by the authorization endpoint

UserInfo

path: /oidc/userinfo

Return information about the user.

Supported claims:

  • core OpenID Connect claims
  • xwiki_groups: the names (without the wiki and the XWiki space parts) of the groups of the user
  • xwiki_user_<fieldname>: pattern used to access any field of the user document (search in the XWikiUsers object and then in the whole user document)

Configuration

The provider can be configured in xwiki.properties file:

#-# Indicate the format of the subject (unique identifier) to return for a user.
#-# Can be one of the following:
#-# * FULL: the default, return the full reference of the XWiki user (xwiki:XWiki:MyUser)
#-# * LOCAL: return the local reference without the "XWiki" space part (MyUser)
# oidc.provider.subFormat=LOCAL

Example with specific systems

Matrix Synapse

Customization

Templates

The provider use one template to ask the user for his consent. This template can be overwritten through the standard template system.

The name of the template is oidc/provider/consent.vm.

Limitations

The provider is not very cluster-friendly right now. The workaround is to make sure OpenID Connect related requests always access the same node.

Short URLs

If you use short URL setup you will have to make sure to add "oidc" to the known entry points (same as "webjars" for example).

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.

Dependencies

Dependencies for this extension (org.xwiki.contrib.oidc:oidc-provider 1.28):

  • org.xwiki.platform:xwiki-platform-oldcore 11.10
  • org.xwiki.platform:xwiki-platform-container-servlet 11.10
  • org.xwiki.contrib.oidc:oidc-api 1.28
  • com.nimbusds:oauth2-oidc-sdk 9.8
  • com.nimbusds:nimbus-jose-jwt 9.9.3
  • org.xwiki.platform:xwiki-platform-instance 11.10
Tags:
    

Get Connected