cogA generic XWiki authentication service based on pluggable adapters to provide trusted authentication from external sources
Developed by

Denis Gervalle

Active Installs44
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager


A generic XWiki authentication service based on pluggable adapters to provide trusted authentication from external sources.

Report any bug or suggest new feature in JIRA TRUSTAUTH project

This extension bridge the old XWikiAuthService with the new component architecture of XWiki. It is oriented to ease the development of trusted authenticators by using configurable adapter components, that bridge the effective trusted authentication with a generic authenticator. Out of the box, you get user creation, configurable user properties synchronization and group membership synchronization.

Some default adapters will be provided over time, actually starting with a reimplementation of the headers authenticator.

Trusted authenticator API

The general behavior of the trusted authentication is:

  • If persistent store is trusted and not null, return the already authenticated user
  • getUserId() from the adapter:
    • if user is null,
      • if persistent store is trusted on missing authentication and not null, return the already authenticated user
      • else clear the persistent store and return with public access
    • else compute the user profile reference from getUserName(), replacing some characters based on the xwiki.authentication.trusted.userProfileReplacements configuration and applying character case changes based on xwiki.authentication.trusted.userProfileCase
    • if user is found in persistence store, return that authenticated user
    • else, check user for existance:
      • if the user exists, synchronize user properties and group membership
      • else create user and synchronize group membership
      • stores the authenticated user to persistence store and returns it

Currently, it is mandatory that getUserId() and getUserName() returns the exact same value. In a future version it is expected that only getUserId() should be unique, and getUserName() a more meaningful value that may have duplicates, without causing confusions.

General configuration

xwiki.cfg file

#-# Replace the default XWikiAuthService authentication

#-# Define the hint of the TrustedAuthenticationAdapter that should be used for providing the effective
#-# trusted authentication. This parameter is mandatory.
#-# Here is an example for the HeadersTrustedAuthenticationAdapter:

#-# Define the hint of the AuthenticationPersistenceStore that will be used to persist authentication between
#-# requests. The default is to use the SessionAuthenticationPersistenceStore, which will store authentication
#-# information into the Servlet container session.
#-# Another option is to use the CookieAuthenticationPersistenceStore (hint: cookie), that will store the
#-# information into an encrypted cookie. The cookie prefix, domain, path and encryption is customizable using the
#-# same configuration as the standard authentication services (xwiki.authentication.cookieprefix,
#-# xwiki.authentication.cookiepath, xwiki.authentication.cookiedomains and xwiki.authentication.encryptionKey)
# xwiki.authentication.trusted.persistenceStoreHint=session

#-# By default the persistence store is not trusted, but only used to optimize the synchronization process.
#-# If the authentication process is time consuming, you may improve performance by trusting the authentication
#-# provided by the persistence store and prevent requesting the external authentication with every request,
#-# simply uncomment:
# xwiki.authentication.trusted.isPersistenceStoreTrusted=true

#-# If the authentication process is not time consuming, but authetication is not provided with every request,
#-# you may also keep the above setting commented, but you may want to trust the authentication provided by
#-# the persistence store when a request is made without authentication, allowing some persistence but still
#-# giving the priority to the external authentication when provided. This allow a smoother experience especially
#-# when user switching occurs in the same browser, simply uncomment:
# xwiki.authentication.trusted.isPersistenceStoreTrustedOnMissingAuthentication=true

#-# Only used with the Cookie persistence store, allow setting the cookie Time To Live in seconde to keep
#-# persistence between browser restart. The default is to use a session cookie.
#-# Here is an example using a 1 day TTL, which means the persistence is kept for 1 day after last response.
#-# Combine with the above parameter, this could also keep the authentication for a longer period than
#-# the one of the external authenticator, but this is obviously less secure.
# xwiki.authentication.trusted.persistenceStoreTTL=84600

#-# By default, on failure to find an authenticated user, the authentication fallback (to a custom fallback or
#-# the default XWiki authentication). To prevent fallbacking, and return public access on failure to find an
#-# authenticated user, simply uncomment:
# xwiki.authentication.trusted.isAuthoritative=true

#-# Only applicable if the previous parameter is true, this allow defining the classname of the
#-# XWikiAuthService to fallback to. By the fault, the authenticator fallback to the default XWikiAuthService
#-# implementation, and you should not uncomment the following with targetting another service, since it will
#-# just have a negative performance impact.
# xwiki.authentication.trusted.fallbackAuthenticator=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl

#-# Define the letter case transformation that needs to be applied on username provided by the adapter
#-# to create the name of the user profile page. This letter case transformation is done first, before the
#-# replacements defined in the next parameter. The default is to lowercase the username.
#-# Possible transformation are: lowercase (default), uppercase, titlecase, none
# xwiki.authentication.trusted.userProfileCase=none

#-# Define characters or substring replacements to be applied on the username provided by the adapter after
#-# the above case transformation, to create the name of the user profile page. Replacement are of the form
#-# find=replace and separated by pipes. The default is to not make any replacement
#-# Before the introduction of this parameter, the default was different, you can reactivate it by uncommenting:
# xwiki.authentication.trusted.userProfileReplacements=.==|@=_

#-# Mapping between XWiki group name and external authentication role name.
#-# Mapping are separated with the pipe character, and the same XWiki group can be mapped multiple times to
#-# different external roles.
# xwiki.authentication.trusted.groupsMapping=XWiki.XWikiGroupA=groupA|XWiki.XWikiGroupB=groupB|XWiki.XWikiGroupA=groupAbis

#-# Mapping between XWiki users property name and external user property names.
# xwiki.authentication.trusted.propertiesMapping=email=mail|first_name=givenname|last_name=sn


While not recommended, it's also possible to put any of theses configuration in the XWiki.XWikiPreferences object in the XWiki.XWikiPreferences page of the main wiki. Add a string field with the proper name to the class and put the value you want.

The fields names are not exactly the same, you have to change xwiki.authentication.trusted. prefix to trustedauth_:

xwiki.authentication.trusted.adapterHint -> trustedauth_adapterHint

For performance reason, most parameters are cached at startup, so changing those parameters in the preferences is not sufficient, you also need to restart XWiki for them to be taken into account.


Debug log

<!-- Authentication debugging -->
<logger name="org.xwiki.contrib.authentication" level="trace"/>

See Logging in the Admnistration Guide for general information about logging in XWiki.

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager).

You can also use the manual method which involves dropping the JAR file and all its dependencies into the WEB-INF/lib folder and restarting XWiki.

  • copy this xwiki-authenticator-trusted-api jar file into WEB_INF/lib/ (or install with EM for XWiki >6.1)
  • provide an authentication adapter component (or install one from another module in this repository)
  • setup xwiki.cfg

Release Notes



No changes in the frameworks.

Fixes applied to headers adapters:


Fixes applied to headers adapters:


Fixes applied to adapters (if any):


Fixes applied to adapters (if any):


Dependencies for this extension (org.xwiki.contrib.authentication:xwiki-authenticator-trusted-api 1.3.2):

  • org.xwiki.platform:xwiki-platform-oldcore 5.4.1
Created by Denis Gervalle on 2016/01/18 15:54

Get Connected