Hi, this is a question aimed to the developer of the extension @tmortagne
Is there a way to ‘disable’ or ‘lock’ the OIDC.skipped page?
I would like to make our wiki more secure and for that we would need to make that page unavailable.
Is that possible?
Thanks,
There is no option to disable that right now. Of course, you could remove that parameter from all requests in an HTTP proxy in front of XWiki, but sounds a bit extreme.
It’s not clear to me what security threat it’s causing. If you skip OIDC, you are stuck with a login screen for which you don’t have any credential (I assume you don’t have any standard XWiki user, given what you are trying to setup).
I just figured it out that I can just disable the administrative user I have and that would be good enough.
Thanks!
You could be in a very bad situation, if local login isn’t possible at all. Imagine you make an error removing all admins from access. Local superadmin then will be your only way in to fix it.
Of course you disable superadmin in xwiki.cfg by default.
Yes of course, I still have access to the VM instance so we can recover in case something goes haywire, we wanted to reduce the attack surface.