Authenticate REST API calls with OAuth2/OIDC access tokens

Help / Discuss
, , ,
1

I have XWiki installation and have configured OIDC Authenticator to work with Microsoft/Azure Entra ID. It works great for normal user SSO. Now I would like to be able to call XWiki REST API with access tokens generated by Entra from another OAuth2-authenticated web application. Entra supports the on-behalf-of flow exactly for that purpose.

protocols-oauth-on-behalf-of-flow

My web application is Web API A in the diagram and XWiki should be Web API B.

However, as I currently understand from reading the source and previous discussions, this flow doesn’t work. XWiki OIDC Authenticator extension doesn’t check for bearer tokens and doesn’t validate them. XWiki OIDC Provider extension checks for bearer tokens it itself issued and doesn’t support external providers.

What my use case requires is for XWiki OIDC Authenticator extension to check for present bearer tokens, to parse them as JWT, and to validate them against its configured OIDC provider (Entra in my case).

Is this something that anyone has done with XWiki before? Did I miss anything? Would you like this use case covered by XWiki OIDC contrib project? @tmortagne what do you think?

1 Like
2

This use case is indeed not covered right now. Currently, you would have to create a token using the XWiki Provider UI in one of the user’s profile (and setup the provider bridge as authenticator).

Sounds like an interesting feature to add, yes. In general, I’m all for having this extension support as much of the OAuth2/OIDC protocol and its (many many) extensions.

If you feel like working on this, I guess the right place to check the bearer token would probably be oidc/oidc-authenticator/src/main/java/org/xwiki/contrib/oidc/auth/OIDCAuthServiceImpl.java at master · xwiki-contrib/oidc · GitHub.

1 Like
3

You can extend the org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl class and override the com.oocl.xwiki.CustomAuthenticationServiceImpl#checkAuth(com.xpn.xwiki.XWikiContext) method, when the access token is invalid, call super.checkAuth(context);
I’ve done this before.