Implementing OIDC auto-login

peter.viskup · July 15, 2025, 7:22am

We have information portal which implements OIDC. Users are redirected to xWiki URIs from the portal.

Just trying to figure out how the auto-login can be implemented in xWiki with use of OpenID Connect Authenticator (XWiki.org)

Does the OIDC Autenticator support OIDC auto-login? Seems that the Prompt.Type=NONE needs to be supported on oidc/oidc-provider/src/main/java/org/xwiki/contrib/oidc/provider/internal/endpoint/AuthorizationOIDCEndpoint.java at 21dc41f319bb02139c7a7d106f332be2f41ff964 · xwiki-contrib/oidc · GitHub

The other option might be the change of portal redirection URI pointing to xWiki Login URI with redirect argument of requested xWiki page.
Something similar to the following

https://XWIKI_BASE_URI/login/XWiki/XWikiLogin?xredirect=%2Fwiki%2Fbin%2Fview%2FDocuments%2Fproject_3485%2Fproject_document1%2F&loginLink=1

Could you, please, let me know the working solution? Are there any changes in OIDC Extension required?

tmortagne · July 21, 2025, 3:51pm

It depends on what is exactly your idea of how it should behave.

If you expect that all users accessing the wiki should be logged in, then all you need to do is disable guest user access. In such a case, when a user access XWiki, he will automatically be redirected to the OIDC provider and quickly back to XWiki (provided he is already logged on the provider, of course, otherwise he will be prompted to login there the first time).

If that wiki is public then indeed there is no real auto login right now, it’s basically what Loading... is about and did not had much time to think about the best way to implement that yet.

peter.viskup · July 22, 2025, 12:49pm

Thank you, Thomas,
the proposal for disabling guest access is acceptable for us.
Just to make us sure.

We have global wiki and more sub-wikis (spaces). The guest access needs to be disabled on global instance with sub-wikis with requirement of public access.
According the Content Organization (XWiki.org) it might work…

Are there any constraints or limitations we need to be aware of?

tmortagne · July 22, 2025, 4:21pm

Yes. The cleanest usually to create a private wiki/instance is to give the VIEW right explicitly to XWikiAllGroup (which contains all authenticated users), which in turn will make guest users loose that right. And subwikis will inherit the same setup from the main wiki.

Private wiki is a very common setup (even if not the default one).

peter.viskup · July 23, 2025, 6:02am

Can just confirm the solution as “working”.
The global wiki space is set to “private”, while other sub-wiki spaces have their own access rights (publicly available).