This is for an Xwiki being used in a small company to exchange documents and other information.
I would like to use Xwiki with google oauth so that users log in with their google account, but are still be able to change anything in their Xwiki profile.
I’m using OpenID Connect Authenticator with with these lines in xwiki.properties.
This returns the issuer and unique ID claims, but none of the user information which is then left to the user to edit as they please. The only exception is the profile pic, which is still being overwritten on the next login.
Is there any way to change that?
Also, since we’re not accepting users from outside the company we need to disable user registration
oidc.enableUser=false
But this still creates a user, and then immediately disables it. We would like to deny user registration all together.
That would suggest that Google is sending the picture even if the profile scope is not enabled. Right now, the OIDC authenticator is not really taking into account oidc.scope when reading the userinfo and just assumes the provider is sending back what it was told.
Right now, all the authenticator has to cover this is the concept of allowed groups (the authentication fails if the user does not belong to one of the allowed groups).
Yeah, it seems there is some extra information being sent, not sure why that would be, I’ve seen some other posts about it elsewhere as well.
Google doesn’t have claims based on any group membership so I won’t be able to use that to deny access, but disabling users will work just fine, we’re a tiny operation.
I don’t really have the time to work on that right now, but if you feel like trying a pull request, I guess the cleanest might be to modify a bit OIDCUserManager#updateUser to also take into account the configured scopes.
If you can think of another criteria that could be checked in the userinfo, I guess it should not be too hard to add something similar to the allowed groups check but a little more generic (“does the value of that claim contains the following value”).
This is more of a curiosity than a priority at this stage, we can just use the same profile picture for Xwiki as the google account for now, the rest is still customizable by the users. To modify the code I would have to get chatgpt to help me, not really feeling up to it
If you can think of another criteria that could be checked in the userinfo, I guess it should not be too hard to add something similar to the allowed groups check but a little more generic (“does the value of that claim contains the following value”).
I looked at the standard claims offered but couldn’t find any. Maybe it would be possible to just use something like this:
The list would be less than 10 addresses, so it would work at this stage. I assume it would be easy enough to simply deny access for users not already registered, but disabling works too since we won’t have a lot of traffic and random people trying to log in.
I raised the issues, but I’ve also since switched ID Provider to Entra ID, which does conform better to the scope setting, so the profile pic doesn’t get overwritten anymore.
Entra ID also lets me set up users in the tenant and only allow those access, which works great for a closed Wiki. You could achieve the same with google, but you’d have to purchase a Workspace license, while Entra ID lets you do it in the free tier.
And with that, both those issues I had before went away. It would still be nice to have those suggested features for later (conforming strictly to scope and denying unregistered users).
In any case, it’s really great to be able to use Xwiki with OpenID, nice work!
