OpenID userinfo? Missing e.g. first and last name

Help / Discuss
1

I successfully deployed a dex authentication provider which XWiki connects to via OpenID. However, only the email and the user ID are taken over by XWiki. Is there any way to log the JSON response from the OpenID provider in XWiki to allow me to debug what’s going on?

I have the following in xwiki.properties

oidc.provider=https://theprovider.foo
oidc.clientid=the-client-id
oidc.secret=some-secret-42
oidc.scope=openid,profile,email
oidc.user.nameFormater=${oidc.user.preferredUsername._clean}
oidc.endpoint.userinfo.method=GET
oidc.skipped=false

I though that having openid in the oidc.scope is enough to retrieve the userinfo but apparently it does not work. This is how a user profile looks like after authenticating:

Screenshot 2025-03-11 at 10.05.01
Screenshot 2025-03-11 at 10.05.01978×1362 78.2 KB

My guess is that either a scope is wrongly set or the field names are different and I need to set up some oidc.user.mapping=... in the xwiki.properties configuration, but I am only guessing.

I really need to see the JSON that arrives at XWiki…

The annoying thing is that I have to enable superadmin each time, bypass OpenID by setting oidc.skip=true, restart the whole container and wait 5 minutes or so until everything is up. Delete the user in XWiki, then re-enable OpenID, waiting 5 minutes and try again with the OpenID login. So each change and guess takes like 15min to validate. It’s so tedious :see_no_evil:

2

profile is supposed to be the one, so on that side, it looks OK.

You should get it if you enable debug log.

3

I already put <logger name="org.xwiki.contrib.oidc" level="trace"/> in WEB-INF/classes/logback.xm but I don’t see that JSON unfortunately :confused:

4

Well, there is a The OIDC user info is: {} debug log in theory. Are you sure you do have any debug log ?

5

OK thanks, that’s a start, I’ll try to grep that!

6

The <logger name="org.xwiki.contrib.oidc" level="trace"/> setting is instantaneous isn’t it? I am running XWiki in a Docker Swarm and the WEB-INF stuff gets reset on each restart.

7

It’s enough, if that’s what you mean, yes. I assume you restarted several times already after setting that. You might want to double check in the logging admin view if this name indeed is associated to TRACE level.

Any authentication is supposed to produce quite a lot of debug log.

8

OK I will, thanks. I need to skip OpenID now again, delete the user with superadmin and then I try again with enabled logging.

If I understood correctly, the OIDC user info is only requested upon user creation, or should it appear on each login?

9

I have set this:

But I don’t see any log related to OpenID/oidc. This is the full log when I log in with the Dex provider:

wiki_web  | 2025-03-11 09:26:43,875 [http-nio-8080-exec-7  - http://wiki/bin/login/XWiki/XWikiLogin?xredirect=%2Fbin%2Fview%2FMain%2F&loginLink=1&srid=tez5SjNW] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:43,958 [http-nio-8080-exec-1  - http://wiki/bin/view/Main/] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:45,864 [http-nio-8080-exec-6  - http://wiki/bin/jsx/XWiki/Notifications/Code/Macro/NotificationsMacro?language=en&docVersion=1.1] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:45,864 [http-nio-8080-exec-3  - http://wiki/bin/ssx/XWiki/Mentions/MentionsMacro?language=en&docVersion=1.1] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:45,971 [http-nio-8080-exec-5  - http://wiki/asyncrenderer/uix/xwiki%253AHelp.TipsPanel.WebHome/author/xwiki%253AXWiki.tamasgal/locale/en/secureDocument/xwiki%253AHelp.TipsPanel.WebHome/8?clientId=8&timeout=500&wiki=xwiki] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:45,976 [http-nio-8080-exec-7  - http://wiki/asyncrenderer/uix/org.xwiki.platform.wiki.ui.common.contentFooter.authors/author/xwiki%253AXWiki.tamasgal/doc.reference/xwiki%253AMain.WebHome%2528%2529/locale/en/secureDocument/xwiki%253AXWiki.PageAuthorsUIX/user/xwiki%253AXWiki.tamasgal/wiki/xwiki?clientId=6&timeout=500&wiki=xwiki] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:45,976 [http-nio-8080-exec-10 - http://wiki/asyncrenderer/uix/xwiki%253APanels.Applications/author/xwiki%253AXWiki.tamasgal/icon.theme/Font%2BAwesome/locale/en/request.wiki/xwiki/secureDocument/xwiki%253APanels.Applications/user/xwiki%253AXWiki.tamasgal/wiki/xwiki?clientId=7&timeout=500&wiki=xwiki] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:45,981 [http-nio-8080-exec-2  - http://wiki/asyncrenderer/uix/xwiki%253APanels.MyRecentModifications/author/xwiki%253AXWiki.tamasgal/locale/en/request.wiki/xwiki/secureDocument/xwiki%253APanels.MyRecentModifications/user/xwiki%253AXWiki.tamasgal/wiki/xwiki?clientId=9&timeout=500&wiki=xwiki] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:45,982 [http-nio-8080-exec-1  - http://wiki/asyncrenderer/uix/xwiki%253AHelp.SupportPanel.WebHome/author/xwiki%253AXWiki.tamasgal/locale/en/secureDocument/xwiki%253AHelp.SupportPanel.WebHome?clientId=10&timeout=500&wiki=xwiki] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,057 [http-nio-8080-exec-9  - http://wiki/bin/get/Main/WebHome?] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,062 [http-nio-8080-exec-4  - http://wiki/bin/get/Main/WebHome?] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,062 [http-nio-8080-exec-8  - http://wiki/rest/wikis/xwiki/localization/translations?locale=en&prefix=attachment.validation.filesize.&key=errorMessage] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,062 [http-nio-8080-exec-3  - http://wiki/rest/wikis/xwiki/localization/translations?locale=en&prefix=attachment.validation.mimetype.&key=errorMessage&key=allowedMimetypes&key=blockerMimetypes] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,062 [http-nio-8080-exec-5  - http://wiki/rest/wikis/xwiki/localization/translations?locale=en&prefix=web.uicomponents.suggest.&key=selectTypedText] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,458 [http-nio-8080-exec-7  - http://wiki/bin/get/XWiki/SearchSuggestCode] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,466 [http-nio-8080-exec-10 - http://wiki/rest/notifications/count?media=json&userId=xwiki%3AXWiki.tamasgal&useUserPreferences=true&currentWiki=xwiki&async=true&_=1741685205904] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,468 [http-nio-8080-exec-2  - http://wiki/rest/wikis/xwiki/localization/translations?locale=en&prefix=&key=core.export.pdf.options.title&key=export.pdf.options.template&key=export.pdf.options.template.hint&key=export.pdf.options.loadFailure&key=export.pdf.generator.checking&key=export.pdf.generator.unavailable&key=export.pdf.generator.checkFailed&key=export.pdf.modal.close&key=export.pdf.inProgress&key=export.pdf.failed&key=export.pdf.lastError&key=export.pdf.canceling&key=export.pdf.canceled&key=export.pdf.cancelFailed&key=export.pdf.loading&key=export.pdf.pageReadyTimeout&key=cancel] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,468 [http-nio-8080-exec-1  - http://wiki/bin/get/Main/WebHome?xpage=xpart&vm=commentsinline.vm] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,468 [http-nio-8080-exec-8  - http://wiki/rest/wikis/xwiki/localization/translations?locale=en&prefix=like.button.title.&key=unlike&key=like] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,470 [http-nio-8080-exec-3  - http://wiki/rest/wikis/xwiki/localization/translations?locale=en&prefix=core.viewers.attachments.&key=date&key=author] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,556 [http-nio-8080-exec-10 - http://wiki/rest/notifications/count?media=json&userId=xwiki%3AXWiki.tamasgal&useUserPreferences=true&currentWiki=xwiki&async=true&_=1741685205904] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,659 [http-nio-8080-exec-6  - http://wiki/bin/get/Main/?xpage=editactions] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:46,755 [http-nio-8080-exec-2  - http://wiki/rest/wikis/xwiki/localization/translations?locale=en&prefix=&key=core.widgets.suggest.noResults&key=core.widgets.suggest.showResults&key=platform.search.suggestResultLocatedIn] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:47,612 [http-nio-8080-exec-3  - http://wiki/rest/notifications/count?media=json&userId=xwiki%3AXWiki.tamasgal&useUserPreferences=true&currentWiki=xwiki&async=true&asyncId=1&_=1741685205905] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
wiki_web  | 2025-03-11 09:26:47,621 [http-nio-8080-exec-3  - http://wiki/rest/notifications/count?media=json&userId=xwiki%3AXWiki.tamasgal&useUserPreferences=true&currentWiki=xwiki&async=true&asyncId=1&_=1741685205905] WARN  nticationFailureLoggerListener - Authentication failure with login [admin]
10

After fiddling around, this is all I can squeeze out (grepping for org.xwiki.contrib). Nothing with user info unfortunately.

wiki_web    | 	at org.xwiki.contrib.oidc.auth.internal.session.ClientHttpSessionListener.onEvent(ClientHttpSessionListener.java:62)
wiki_web    | 	at org.xwiki.contrib.oidc.auth.internal.session.ClientHttpSessions.logout(ClientHttpSessions.java:136)
wiki_web    | 	at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.logout(OIDCUserManager.java:906)
wiki_web    | 	at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuthOIDC(OIDCAuthServiceImpl.java:123)
wiki_web    | 	at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuth(OIDCAuthServiceImpl.java:92)
wiki_web    | 2025-03-11 09:32:47,524 [http-nio-8080-exec-3 - http://wiki/bin/logout/XWiki/XWikiLogout?xredirect=%2Fbin%2Fview%2FXWiki%2Ftamasgal] ERROR .o.i.DefaultObservationManager - Failed to send event [org.xwiki.container.servlet.events.SessionDestroyedEvent@59e3f2aa] to listener [org.xwiki.contrib.oidc.auth.internal.session.ClientHttpSessionListener@5363d5ca]
wiki_web    | 	at org.xwiki.contrib.oidc.auth.internal.session.ClientHttpSessionListener.onEvent(ClientHttpSessionListener.java:62)

EDIT: I just created a completely new user with a completely different GitHub account. No user info JSON was printed in the logs, only lines like above.

11

I hope I am doing it correctly. Just for the sake of completeness, this is where I added the oidc logger:

...
...
  <!-- Deactive PDF Export CSS Applier warnings -->
  <logger name="org.apache.fop.layoutmgr.inline.ContentLayoutManager" level="error"/>
  <logger name="info.informatica.doc.style.css.dom" level="error"/>

  <!-- Deactivate JGroups warnings -->
  <logger name="org.jgroups" level="error"/>

  <logger name="org.xwiki.contrib.oidc" level="trace"/>

  <!-- By default everything that is of severity WARN, ERROR or FATAL is logged to the console.
       Since the console output is captured and redirected by the servlet container in most cases,
       the logs will end up the container's logs, for example in catalina.out in Tomcat.
  -->
  <root level="warn">
    <appender-ref ref="stdout"/>
  </root>
</configuration>
12

Looks OK. It really feels like the logback.xml file you are modifying is not the one that actually end up being loaded. Not really an expert in the docker way of deploying XWiki, so I’m not sure where it’s supposed to be modified or if there is a known problem with it.

In any case, you should check the logging admin for the level of org.xwiki.contrib.oidc. If it’s not TRACE, you can switch it in the UI (you have to do it after each restart, but at least you are sure it works).

1 Like
13

OK got it!

The OIDC user info is:

{
   "at_hash":"88Ak...SQ",
   "sub":"Cgcx...dWI",
   "aud":"the-wiki",
   "email_verified":true,
   "iss":"https:\/\/auth\/dex",
   "name":"Tamas Gal",
   "preferred_username":"tamasgal",
   "exp":17...67,
   "iat":174...67,
   "email":"the@mail"
}

So apparently there is only name and no first_name and last_name or whatever.

Given that the name field is also mentioned in the docs (https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/) I am wondering why XWiki does not pick it up automatically?

Is there any possibility to split this up using the oidc.mapping thing? :laughing:

14

In standard OIDC, it’s supposed to be given_name and family_name.

Unfortunately, oidc.mapping is not that clever. But you could do that in a custom listener.

15

OK I think I will give up at this point :laughing: Thanks anyways!

16

One simple possibility might be to map the XWiki first_name with the OIDC name. It’s not ideal in terms of user profile, but at least the user display name should look pretty much as expected elsewhere.

1 Like