Hi Team,
I’ve installed xwiki in my local through docker and recently I’ve upgraded login mechanism to OIDC using Keycloak.
Is there any way to restrict xwiki login to specific group only in oidc.
All the options are listed on https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#Hxwiki.properties. Among them you will find oidc.groups.allowed.
Thanks for sharing the blog…
- Working correctly but getting 500 error for not allowed user… Is there any work around to hide that.
Error Log:
org.xwiki.contrib.oidc.provider.internal.OIDCException: The user is not allowed to authenticate because it’s not a member of the following groups: [wiki_users]
org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.checkAllowedGroups(OIDCUserManager.java:257)
org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUser(OIDCUserManager.java:331)
org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:251)
org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:138)
org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110)
org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
Note The full stack trace of the root cause is available in the server logs.
- OIDC Discovery URL
Also some times for .wellknown-configuration xwiki taking oidc.xwikiprovider url instead of openid url.
Error log:
Caused by: java.io.IOException: Couldn’t download OpenID Provider metadata from https://wiki.iqa.com/xwiki/oidc/.well-known/openid-configuration: Status code 404
at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1858)
at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1820)
at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1783)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getClientProvider(OIDCClientConfiguration.java:753)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getClientProvider(OIDCClientConfiguration.java:737)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getEndPoint(OIDCClientConfiguration.java:639)
at org.xwiki.contrib.oidc.auth.internal.OIDCClientConfiguration.getLogoutOIDCEndpoint(OIDCClientConfiguration.java:702)
at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.logout(OIDCUserManager.java:892)
at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuthOIDC(OIDCAuthServiceImpl.java:123)
at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuth(OIDCAuthServiceImpl.java:92)
… 49 common frames omitted
Not right now, but don’t hesitate to create an improvement issue on Loading... if you have some idea on how to better show this error.
It’s not very clear to me what you are asking. If https://wiki.iqa.com/xwiki/ is an XWiki instance, then that error suggests you did not install the OIDC provider (.well-known/openid-configuration is where the OIDC configuration is supposed to be located according to OIDC protocol specifications and it is exposed by the XWiki OIDC provider, see for example https://www.xwiki.org/xwiki/oidc/.well-known/openid-configuration).
Is there any way to show access denied message or any custom message to inform the user that they don’t has access.
Actually, the same working sometimes but sometimes getting error that not able to retrieve OpenID Provider metadata… But main agenda is to redirect the login to our keycloak but sometimes it’s not working by showing not able to access openid config url.
Here is the snip of my installed extensions. Kindly let me know if I need to add any other.
In that case, I don’t understand the relationship with the XWiki provider if you don’t want to use it.
Thanks for the quick response.
Based on my issue, please suggest the sample example config for using external oidc server (Ex: Keycloak) and xwiki needs to act like a client only.
There is nothing special about configuring XWiki compared to any OpenID Connect client.
The most important is oidc.provider because this will gather most of the standard OIDC configuration directly from the provider, but I cannot tell you which exact value to put in it, it depends on the provider you are using.
The other properties are mainly here to either workaround non-standard OIDC providers, or to configure XWiki Authenticator specific things (group synchronization, custom name of the user id in XWiki, etc.).
I’m using keycloak as OIDC provider. Please check below and suggest for any corrections.
oidc.xwikiprovider=https://wiki.iqa.com/xwiki/oidc
oidc.endpoint.authorization=https://oneauth.iqa.com/realms/IQA/protocol/openid-connect/auth
oidc.endpoint.token=https://oneauth.iqa.com/realms/IQA/protocol/openid-connect/token
oidc.endpoint.userinfo=https://oneauth.iqa.com/realms/IQA/protocol/openid-connect/userinfo
oidc.scope=openid,profile,email,address
oidc.endpoint.userinfo.method=GET
oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
oidc.user.subjectFormater=${oidc.user.subject}
oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
oidc.clientid=wiki
oidc.secret=###################
oidc.endpoint.token.auth_method=client_secret_basic
oidc.groups.allowed=wiki_users
I’ve used this link as reference. xwiki-oidc-setup
Are you sure this point to your keycloak provider ? The path looks a lot like an XWiki provider and more importantly does not look anything like the endpoints you indicated after it (which, as I said, are supposed to be indicated in the provider configuration already so you usually don’t need to set them).
As indicated in the documentation, this is the default, so no need to set them.