Issue with Mapping Roles to Groups in XWiki using "OpenID Authentication with Keycloak

Hello,

I have encountered an issue while attempting to link roles from Keycloak to groups in XWiki using the “OpenID Authentication with Keycloak” extension. The authentication confirmation is working successfully. However, despite my efforts, I have been unable to establish a connection between roles in Keycloak and groups in XWiki.

In Keycloak, I have created the following groups: “bmnwikireader” and “bmnwikiwriter”. I would like these groups to automatically correspond to the groups in XWiki with the same names.

I have reviewed the settings of the “OpenID Authentication with Keycloak” extension in XWiki, specifically the parameters:

#oidc.groups.claim=groups
#oidc.groups.mapping=bmnwikireader=bmnwikireader
#oidc.groups.mapping=bmnwikiwriter=bmnwikiwriter
my example token
"groups": ["bmnwikireader", "bmnwikiwriter"],
"scope": "openid email profile",
"email_verified": false

However, despite the provided settings, the groups from Keycloak are not being linked to the groups in XWiki.

Could you please advise me on how to successfully configure this integration? I would greatly appreciate detailed explanations of the steps or corrections to the settings in order to achieve the desired result.

Best regards, Alex

If you really have # in front of each of those lines, then it’s just comments and they indeed don’t have any effect.

I have the same problem (Keycloak roles are not provisioned in XWiki), and do not have the line commented out:

I’m using oidc.groups.claim=realm_access.roles.

The token provided by Keycloak looks like this (xwiki_groups is a mapper which acts as a working backup with oidc.userinfoclaims):

{
  "exp": XXX,
  "iat": XXX,
  "jti": "XXX",
  "iss": "https://keycloak.XXX.XX/auth/realms/XXX",
  "aud": "account",
  "sub": "xxx",
  "typ": "Bearer",
  "azp": "xwiki.XXX",
  "session_state": "XXX",
  "acr": "1",
  "allowed-origins": [
    "https://xwiki.XXX"
  ],
  "realm_access": {
    "roles": [
      "role_1",
      "role_2",
      "admin"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid profile email",
  "sid": "XXX",
  "email_verified": true,
  "address": {},
  "name": "XXX",
  "preferred_username": "XXX",
  "given_name": "XXX",
  "xwiki_groups": [
      "role_1",
      "role_2",
      "admin"
  ],
  "family_name": "XXX",
  "email": "XXX"
}

If I use oidc.userinfoclaims and add xwiki_groups as a value, everything works as expected. However, a mapper must be created in the Keycloak client e.g., as follows (and thanks to Jonashint):

  1. Name: xwiki_groups (doesn’t matter)
  2. Mapper Type: User Realm Role
  3. Multivalued: ON
  4. Token Claim Name: xwiki_groups (or however you named the value in the xwiki.preferences file)
  5. Claim JSON Type: String or keep Select
  6. Add to * selectors all set to ON