We use the OpenID authenticatior to login from our local providor and now would like to use the groups from the providor to set access controls on XWiki.
For each OID group am I right that we have to map the group to a named XWiki group?
#-# The default is:
# oidc.groups.claim=xwiki_groups
#-# Receiving a groups list is enough to enable group synchronization but you might need to configure XWiki groups names different from the remote groups names.
#-# It's also required to indicate what's the field containing the list of groups (that's not an OpenID Connect standard) using oidc.groups.claim property.
#-#
# oidc.groups.mapping=MyXWikiGroup=my-oidc-group
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
Mapping many groups like this would be difficult to maintain especially as groups are being created and deleted all the time. Is it possible to set the access control against the OID group directly?
Does anyone have experience handling 100s of groups within the OpenID authentication
As indicated in the documentation you pasted mapping is optional: if you don’t provide one each group received in the configured OIDC claim will be created with the same name on XWiki side.
It seems that if even only one group mapping is defined via oidc.groups.mapping, all groups for which no mapping is defined are omitted (e.g. not provisioned in XWiki).
It would be really great to enable the mapping of, e.g., just one group (e.g., XWiki group XWikiAdminGroup to Keycloak group admin) but provide all other groups as they are.
With the current solution, I have to
disable group mapping in xwiki.preferences (XWikiAdminGroup=admin)
restart container
log in as Keycloak admin group member, have no admin rights, admin group is created in XWiki
log out again
enable group mapping in xwiki.preferences (XWikiAdminGroup=admin)
restart container
log in again, have admin rights (because of mapping)
grant admin group same rights as XWikiAdminGroup
log out again
disable group mapping in xwiki.preferences so that all groups are created for all keycloak users
restart container
enjoy admin rights even though “only” in Keycloak admin group which is replicated in XWiki but not being member of XWikiAdminGroup
Maybe I overlooked something, but I just don’t want to add a role XWikiAdminGroup to keycloak roles since we use same realm for different clients and want one admin role that provides admin rights in every client.