Hello everyone,
currently I am working on a script for the following use case:
We have an XWiki instance authenticating its users against a Keycloak instance via the openid connect extension. Since the aim is to get users going as quickly as possible with the right permissions we have to use a laborious process to create users beforehand and not wait for the autocreation after their first oidc login: Users are created in Keycloak and XWiki, then manually connected by creating the OIDC.UserClass object after which permission-groups are assigned. Because the number of new users is high, I would like to create a small external App that executes this work - mainly the user creation and connection.
For various reasons I have to rely on XWiki’s web interfaces for this. My problem is now that creating a user via rest api calls does not seem like a trivial feat. From my research it seems like I have the following options:
1. Use official rest api
According to documentation
- Create a new page named after the user id unter the XWiki space
- Add a user object to that page
- Give the new user edit rights on the page
- Add the new user to XWikiAllGroup
- Add the OIDC.UserClass
(Sure optimization might be possible by adding the objects to the new page’s representation right away but I am very strained by figuring everything out and this keeps it cleaner in my head :D)
My problem with this approach is how hard everything was to figure out. I was digging in the source code for a long time to find the right lines on what XWiki does internally when a new user is created just to recreate it via the official API. The difficulty in research made me refrain from this approach since I don’t want to run into the risk of missing anything and corrupting the future users created via my helper app as a result. For that reason, I looked for a second option:
2. Use XWikis Registration Form Page
I found out that I can just POST to the XWiki page that provides the standard user creation / registration form to create a new user, namely XWiki.XWikiRegister. The obvious upside is the benefit of being sure that the users are created in the “proper way”. However, there is the downside that I feel like I am using a “hack” when doing it this way since this seems to be meant as a GUI. Additionally, this approach requires a server side validated password to be set which is not something I would like to be present. Due to the oidc extension a XWiki password is not necessary and it would be safest for the users to not be able to login through XWiki at all (by default).
My questions
What do you guys think is the most valid/safe approach here? Is there maybe an approach I am missing?
Thanks!