OpenID Connect

Last modified by Thomas Mortagne on 2024/04/12 14:12

Various tools to manipulate OpenID Connect protocol in XWiki

Description

This project has two main goals:

  1. make as easy as possible to use an XWiki instance as identity provider for another XWiki instance
  2. make XWiki support what is becoming the most standard identity protocol on Internet both as a provider for other applications and as a client of reference identity providers

License: GNU Lesser General Public License 2.1
Sources: https://github.com/xwiki-contrib/oidc/
Issues: https://jira.xwiki.org/browse/OIDC

OpenID Connect

From https://openid.net/connect/:

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.

See http://openid.net/connect/faq/ for a set of answers to Frequently Asked Questions about OpenID Connect.

This project is relying on Nimbus OAuth 2.0 SDK with OpenID Connect extensions (which among other things offers parsers and processors for OpenID Connect request/responses in Java) for its implementation.

See also OpenID Connect Core Specifications 1.0 and this overview of the OpenID Connect Protocol:

The OpenID Connect protocol, in abstract, follows the following steps.

1. The RP (Client) sends a request to the OpenID Provider (OP).
2. The OP authenticates the End-User and obtains authorization.
3. The OP responds with an ID Token and usually an Access Token.
4. The RP can send a request with the Access Token to the UserInfo Endpoint.
5. The UserInfo Endpoint returns Claims about the End-User.

These steps are illustrated in the following diagram:

+--------+                                   +--------+
|        |                                   |        |
|        |---------(1) AuthN Request-------->|        |
|        |                                   |        |
|        |  +--------+                       |        |
|        |  |        |                       |        |
|        |  |  End-  |<--(2) AuthN & AuthZ-->|        |
|        |  |  User  |                       |        |
|   RP   |  |        |                       |   OP   |
|        |  +--------+                       |        |
|        |                                   |        |
|        |<--------(3) AuthN Response--------|        |
|        |                                   |        |
|        |---------(4) UserInfo Request----->|        |
|        |                                   |        |
|        |<--------(5) UserInfo Response-----|        |
|        |                                   |        |
+--------+                                   +--------+

The modules

  • org.xwiki.contrib.oidc:oidc-authenticator-object: generally used as dependency to manipulate the xobjects stored by the OIDC authenticator in the user profile

Release Notes

All release notes

2.6.0

2.5.3

2.5.2

More debug log.

2.5.1

2.5.0

2.4.0

2.3.1

2.3.0

2.2.0

2.1.0

2.0.1

If you have a lower version of OpenID Connect, the upgrade might fail with an error related to json-smart because of https://jira.xwiki.org/browse/XCOMMONS-2754. The workaround is to uninstall the extension oauth2-oidc-sdk and then install the OpenId Connect extension.

2.0.0

1.37.4

1.37.3

The following translations have been updated with this release:

1.37.2

1.37.1

Nothing.

1.37.0

1.36.0

1.35.0

1.34.4

1.34.3

  • More debug log.

1.34.2

  • More debug log.

1.34.1

1.34

1.32

1.32.1

1.32

1.31

1.30

1.29.1

1.29

...

Get Connected