OIDC Login not showing on login page

kevinveenbirkenbach · September 18, 2025, 6:12am

Hello,

I’m currently integrating XWiki into the Infinito.Nexus Enterprise Infrastructure Framework.

At the moment, the OIDC login does not work.
The plugin is installed and configured, but it does not appear on the login page.

How can I enable the display of the OIDC login button, or optimize debugging?

The instance is reachable here:
Infinito.Nexus

The Ansible role I use to install XWiki is available here:
infinito-nexus/roles/web-app-xwiki at master · kevinveenbirkenbach/infinito-nexus · GitHub

Deployed files

Dockerfile

FROM xwiki:lts-postgres-tomcat
RUN cat >> /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg <<EOF
xwiki.superadmin=1
xwiki.superadminpassword=example

xwiki.properties

# Proxy
xwiki.url.protocol=https
xwiki.url.host=x.wiki.infinito.nexus
xwiki.url.port=443

############################################
# OIDC
# Render this block only while the OIDC switch is ON in _flush_config.yml.
# During bootstrap we keep it OFF to avoid ClassNotFoundException before the extension is installed.
# @see https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/
oidc.showLoginButton=true
oidc.provider=https://auth.infinito.nexus/realms/cymais.cloud
oidc.endpoint.authorization=https://auth.infinito.nexus/realms/cymais.cloud/protocol/openid-connect/auth
oidc.endpoint.token=https://auth.infinito.nexus/realms/cymais.cloud/protocol/openid-connect/token
oidc.endpoint.userinfo=https://auth.infinito.nexus/realms/cymais.cloud/protocol/openid-connect/userinfo
oidc.endpoint.logout=https://auth.infinito.nexus/realms/cymais.cloud/protocol/openid-connect/logout
oidc.clientid=cymais.cloud
oidc.secret=sdfsdfsdfsdfdsfd
oidc.scope=openid,email,profile,groups
oidc.enableUser=true
#oidc.userinfoclaims=groups
#oidc.groups.claim=groups
#oidc.groups.mapping=XWiki.XWikiAdminGroup=/roles/web-app-xwiki-administrator

# Start DW automatically and non-interactively
distribution.automaticStartOnMainWiki=true
distribution.automaticStartOnWiki=true
distribution.job.interactive=false
# Default flavor for main wiki
distribution.defaultUI=org.xwiki.platform:xwiki-platform-distribution-flavor-mainwiki
distribution.skip=false
distribution.wizard.enabled=true

# Root logger
logging.rootLogger=DEBUG, console

# XWiki OIDC extension
logging.logger.org.xwiki.contrib.oidc=TRACE
logging.logger.org.xwiki.contrib.oidc.internal=TRACE
logging.logger.org.xwiki.contrib.oidc.provider=TRACE

# OIDC extra (sometimes split in other packages)
logging.logger.org.xwiki.contrib.oidc.auth=TRACE
logging.logger.org.xwiki.contrib.oidc.client=TRACE

# Tomcat internals (servlet and HTTP handling)
logging.logger.org.apache.catalina.core=DEBUG
logging.logger.org.apache.coyote.http11=DEBUG

# Request/Resource handling
logging.logger.org.xwiki.resource=TRACE
logging.logger.org.xwiki.resource.internal=TRACE
logging.logger.org.xwiki.container.servlet=DEBUG

# Nimbus OIDC/OAuth + JOSE libraries
logging.logger.com.nimbusds=DEBUG
logging.logger.com.nimbusds.oauth2.sdk=DEBUG
logging.logger.com.nimbusds.openid.connect.sdk=DEBUG
logging.logger.com.nimbusds.jose=DEBUG

# Apache HttpClient (used under the hood by Nimbus)
logging.logger.org.apache.http=DEBUG
logging.logger.org.apache.http.wire=DEBUG   # very verbose, raw request/response wire logs

# Pac4j (if your build uses it)
logging.logger.org.pac4j=DEBUG

# Persist data in the Docker volume
environment.permanentDirectory=/usr/local/xwiki/data

# Make sure Extension Manager can fetch artifacts.
# IMPORTANT:
# - Java .properties does NOT support "+=" append. Only the LAST assignment wins.
# - Use a SINGLE line with comma-separated repositories.
# - The OIDC authenticator lives in xwiki-public. Without it, resolution fails.
extension.repositories=xwiki-public:maven:https://nexus.xwiki.org/nexus/content/groups/public/,central:maven:https://repo1.maven.org/maven2/

docker-compose.yml

services:
  application:
    build:
      context: .
      dockerfile: Dockerfile
    image: "xwiki_custom"
    container_name: "xwiki"
    hostname: 'x.wiki.infinito.nexus'
    ports:
      - "127.0.0.1:8054:8080"
    environment:
      JAVA_OPTS: >-
        -Dxwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
    volumes:
      - "/opt/docker/xwiki/config/xwiki.properties:/usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.properties"
      - 'data:/usr/local/xwiki'
    healthcheck:
      test:
        - "CMD"
        - "curl"
        - "-f"
        - "-H"
        - "Host: x.wiki.infinito.nexus"
        - "http://127.0.0.1:8080/"
      interval: 1m
      timeout: 10s
      retries: 3
    restart: unless-stopped
    env_file:
      - "/opt/docker/xwiki/.env/env"
    logging:
      driver: journald
    networks:
      postgres:
      default:
volumes:

  data:
    name: xwiki_data

networks:
  postgres:
    external: true
  default:
    name: xwiki
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 192.168.103.240/28

Any help or hints would be highly appreciated!

Thanks in advance,
Kevin

acotiuga · September 18, 2025, 6:18am

Hello Kevin,

It looks like you are missing this configuration from xwiki.cfg, see https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#HConfigurationfiles.

#-# The authentication management class.
xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl

Hope it helps,
Alex

acotiuga · September 18, 2025, 6:29am

Actually, it is possible now to choose the authenticator from http://127.0.0.1:8080/xwiki/bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=Authentication for the version you are using. I would check that the OpenID Connect Authenticator is selected

tmortagne · September 18, 2025, 7:34am

There is no such concept right now in https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID Connect/OpenID Connect Authenticator/. When you enable the OIDC authenticator, you don’t have the standard login page anymore and are directly redirected to the provider (but you can force skipping it).

This option does not exist in the standard OIDC extension.

But maybe you are using some custom extension.

xeim · December 28, 2025, 8:14am

Hi, I get on Log-in an error in browser:

https://login.microsoftonline.com//oauth2/v2.0/authorize?claims={“id_token”:{“xwiki_instance_id”:null},“userinfo”:{“xwiki_user_accessibility”:null,“xwiki_user_displayHiddenDocuments”:null,“xwiki_user_editor”:null,“xwiki_user_usertype”:null,“xwiki_user_company”:null}}&response_type=code&redirect_uri=https://wiki.xxx.com/oidc/authenticator/callback&state=WoQhW3Rszf6kCVJr5vsf1leogasObm7qq28tILSmoZw&client_id=aaaa-50a2-4bfc-a1d8-f9344bbbbb&scope=openid profile email address sent back an error.

client_id is correct. But tenant_id is always empty - it doesn’t read it.

I use OpenID Connect Authenticator 2.19.4 by: Thomas Mortagne

If I go to Admin - User - Authentication I see:

Current Authentication service

org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl

Warning

The current authentication service cannot be modified because it’s controlled by the xwiki.cfg configuration file.

as I already edited xwiki.cfg

On Admin - Other - Entra ID I filled out all the required fields. Tenant id is also correct.

I don’t get where it reads tenant id from.

Please help.

xeim · December 29, 2025, 4:06pm

It’s a pain to configure it.
On my login page I see a correct client_id. If I remove it from Admin - Other - Entra ID - Client ID, it shows incorrect client_id on login page. But for some reason, tenant id is always empty, even though I set it on Admin - Other - Entra id. On the login page it’s always empty:

This login.microsoftonline.com page can’t be found

No webpage was found for the web address: https://login.microsoftonline.com//oauth2/v2.0/authorize?claims={“id_token”%3A{“xwiki_instance_id”%3Anull}%2C"userinfo"%3A{“xwiki_user_accessibility”%3Anull%2C"xwiki_user_displayHiddenD