I’m currently trying to setup a xwiki instance with sso over openid connect (oidc) using authentik as an identity provider. Unfortunately I have a lot of trouble with this.
My Setup:
- An xwiki instance running in a kubernetes cluster with the current docker image
xwiki:lts-postgres-tomcat. It is reachable atwiki.company.com- with persistent storage on a independent server (one), where the xwiki volumes are stored
- An authentik instance (version 2023.5.3) running on an independent server (two). It is reachable at
sso.company.com
What I did so far:
- I’ve setup an “provider” (OAuth2/OpenID Provider) on authentik for the xwiki. As the callback url I used
https://wiki.company.com/autenticator/callback - I installed the OpenID Connect Authenticator Extension
- I read the thread: SSO integration with XWIKI using OIDC setup - #2 by jwielsch
- I followed the Authentication with Keycloak guide trying to adapt it to my needs.
- I configured
xwiki.cfgand changed/added the following:#-# The authentication management class. # xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl - I configured
xwiki.propertiesand added the following:#------------------------------------------------------------------------------------- # oidc properties for OpenID Connect Authenticator Extension #------------------------------------------------------------------------------------- #oidc.defaultClientConfiguration=authentik oidc.endpoint.authorization=https://sso.company.com/application/o/authorize/ oidc.endpoint.token=https://sso.company.com/application/o/token/ oidc.endpoint.userinfo=https://sso.company.com/application/o/userinfo/ oidc.scope=openid,profile,email,address oidc.endpoint.userinfo.method=GET oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase} oidc.user.subjectFormater=${oidc.user.subject} oidc.groups.claim=groups # oidc.groups.mapping=MyXWikiGroup=my-oidc-group # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2 # oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3 # oidc.groups.allowed= # oidc.groups.forbidden= oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype # oidc.userinforefreshrate=600000 oidc.clientid=yGWBjt3rwfgxbasdasfasfkF0eoBHuTH6adfu8 oidc.secret=i2byrWMI8Vx1KT14elVNUXkWcRL2UsdfafdafGc6Ax___of_course_not_the_real_one_:)___efsdagfagAXd0ysgdfgUI7c4tHZksMsclUP oidc.endpoint.token.auth_method=client_secret_basic oidc.skipped=true
It currently seems that nothing happens or works at all.
Now I have multiple questions?
- How does xwiki knows that the
xwiki.cfg/xwiki.propertieshas changed? I didn’t found out how to reread them or how to restart the xwiki. - Is there any more documentation I haven’t found yet, which helps with my problem?
- What do I have to do(change) to make it work?
- What is the correct xwiki callback url for the authentik (currently I use
https://wiki.company.com/autenticator/callback)?
I really appreciate your help. If I get it to work I would love to (help) improve the documentation for the OpenID Connect Authenticator Extension.
Edit:
- specified authentik configuration and changed link highlighting