Hello,
I am trying to use the OpenID Connect Authenticator extension on my wiki. It seems that this extension allows wiki users to select an OIDC provider via a URL query parameter.
For example:
https://mywikidomain/bin/login/XWiki/XWikiLogin?oidc.provider=https://providerdomain
Is there a way to restrict the providers that users can choose? If users can freely select a provider, they may create multiple accounts, making user management difficult. It would be better to ignore the query parameter value and only apply the values set in the XWiki object or xwiki.properties.
This is supposed to be the case, unless you have a very old version of a authenticator.
The version of the extension I am using is 2.13.4. I have reviewed the extension’s code, and based on my understanding, the getProperty method in the OIDCClientConfiguration class retrieves configuration values in the following order of priority:
- Session
- Wiki configuration
- xwiki.properties configuration
However, in the authenticate(String, XwikiContext) method of the OIDCAuthServiceImpl class, the maybeStoreRequestParameterInSession method is executed, which seems to store the oidc.provider value from the user’s query parameter into the session. Because of this, the query parameter value appears to override the other configuration values.
This is strange, indeed. Thanks for the report, I will check that ASAP.
Should be much better in the new 2.13.6.