Hello,
currently I am working on securing an XWiki Instance that is using oidc with Keycloak for authentication. Now I am looking into limiting the ways users (or attackers) can circumvent using Keycloak (with its MFA) for authentication.
As I understand it, when using the oidc authenticator the local login can still be used by appending the reserved query to the url. I think this might not be optimal in terms of security since it means that password-based authentication can still be used. Also, it enables users to circumvent oidc/Keycloak by setting their own (potentially weak) password in the user settings and then using it. I know that some applications (like GitLab) allow disabling local authentication. Can I achieve this with XWiki as well? So far, I did not find a way and I am also wondering if it is even technically feasible since the API relies on XWiki username,password as well.
Additionally, I am looking for a way to remove (or reset) passwords from user accounts since some users might still have old ones due to them beeing created pre-oidc. My current approach would be writing a script that goes through and edits all user objects but this also seems kind of “hacky” to me.
Long story short: I would be interested if some of you face similar problems. Or if I am overthinking this and you maybe have different approaches or don’t think this is necessary or improving security at all. Main questions:
- Is there a way to disable local username,password auth at all (when using the oidc authenticator)?
- Is there an easy way to reset all passwords?