openid_connect_16x16.pngAllow XWiki to act as an OpenID Connect provider
Developed by

Thomas Mortagne

Active Installs227
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager


Allow XWiki to act as an OpenID Connect provider.

See also OpenID Connect Authenticator.


Release notes can be found on OpenID Connect project page.

Token based access

In order to let a client access any resource just using an OpenID Connect access token you need to setup (in xwiki.cfg configuration file) a special authenticator in XWiki which act as a bridge to authenticate the use if a token is found in the request or fallback to the "real" authenticator.



Provider metadata

path: /oidc/


path: /oidc/authorization

Entry point to authenticate a user and authorize the client to access the provider.

Supported methods:


path: /oidc/token

Supported grand types:

  • authorization_code: generate an access token from the the authorization code provided by the authorization endpoint


path: /oidc/userinfo

Return informations about the user.

Supported claims:

  • core OpenID Connect claims
  • xwiki_groups: the names (without the wiki and the XWiki space parts) of the groups of the user
  • xwiki_user_<fieldname>: pattern used to access any field of the user document (search in the XWikiUsers object and then in the whole user document)



The provider use one template to ask the user for his consent. This template can be overwritten trough the standard template system.

The name of the template is oidc/provider/consent.vm.


The provider is not very cluster friendly right now. The workaround is to make sure OpenID Connect related requests always access the same node.

Short URLs

If you use short URL setup you will have to make sure to add "oidc" to the known entry points (same as "webjars" for example).

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.


Dependencies for this extension (org.xwiki.contrib.oidc:oidc-provider 1.21.2):

  • org.xwiki.platform:xwiki-platform-oldcore 10.11
  • org.xwiki.platform:xwiki-platform-container-servlet 10.11
  • org.xwiki.contrib.oidc:oidc-api 1.21.2
  • com.nimbusds:oauth2-oidc-sdk 7.3
  • com.nimbusds:nimbus-jose-jwt 8.15
  • org.xwiki.platform:xwiki-platform-instance 10.11
Created by Thomas Mortagne on 2016/05/27 16:30

Get Connected