openid_connect_16x16.pngAllow XWiki to act as an OpenID Connect provider
Recommended
TypeJAR
Category
Developed by

Thomas Mortagne

Active Installs99
Rating
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager

Description

Allow XWiki to act as an OpenID Connect provider.

See also OpenID Connect Authenticator.

oidc_provider_consent.png

Release notes can be found on OpenID Connect project page.

Allow clients to access any resource using an OpenID Connect access token

In order to let a client access any resource just using an OpenID Connect access token you need to setup (in xwiki.cfg configuration file) a special authenticator in XWiki which act as a bridge to authenticate the use if a token is found in the request or fallback to the "real" authenticator.

xwiki.authentication.authclass=org.xwiki.contrib.oidc.provider.OIDCBridgeAuth
{{code}}

= Endpoints =

== [[Provider metadata>>http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata]] ==

path: **/oidc/**

== [[Authorization>>http://openid.net/specs/openid-connect-core-1_0.html#Authentication]] ==

path: **/oidc/authorization**

Entry point to authenticate a user and authorize the client to access the provider.

Supported methods:

* [[Code Flow>>http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth]]
* [[Implicit Flow>>http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth]]

== Token ==

path: **/oidc/token**

Supported grand types:

* authorization_code: generate an access token from the the authorization code provided by the authorization endpoint

== [[UserInfo>>http://openid.net/specs/openid-connect-core-1_0.html#UserInfo]] ==

path: **/oidc/userinfo**

Return informations about the user.

Supported claims:

* [[core OpenID Connect claims>>http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.1]]
* ##**xwiki_groups**##: the names (without the wiki and the ##XWiki## space parts) of the groups of the user
* ##**xwiki_user_<fieldname>**##: pattern used to access any field of the user document (search in the XWikiUsers object and then in the whole user document)

= Customization =

== Templates ==

The provider use one template to ask the user for his consent. This template can be overwritten trough the standard [[template system>>Extension.Template Module]].

The name of the template is ##oidc/provider/consent.vm##.

= Limitations =

The provider is not very cluster friendly right now. The workaround is to make sure OpenID Connect related requests always access the same node.


= Prerequisites & Installation Instructions =

{{html clean="false" wiki="false"}}<p>We recommend using the <span class="wikiexternallink"><a href="http://extensions.xwiki.org/xwiki/bin/view/Extension/Extension+Manager+Application">Extension Manager</a></span> to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).</p><p>You can also use the manual method which involves dropping the JAR file and all its dependencies into the <span class="monospace">WEB-INF/lib</span> folder and restarting XWiki.</p>{{/html}}


= Dependencies =

Dependencies for this extension (org.xwiki.contrib.oidc:oidc-provider 1.14.2):
* org.xwiki.platform:xwiki-platform-oldcore 8.4
* org.xwiki.platform:xwiki-platform-container-servlet 8.4
* org.xwiki.contrib.oidc:oidc-api 1.14.2
* com.nimbusds:oauth2-oidc-sdk 5.44
* [[org.xwiki.platform:xwiki-platform-instance>>Extension.Instance Module]] 8.4
Tags:
    

Get Connected