XWiki 10.8 with Keycloak as IP


I want to set up SSO with Keycloak as authentication server.
I tried to install the “OpenID Connect Authenticator” extension, but after that my XWiki (docker based setup) fails to restart and throws a lot of errors. I saw in the installer, that the extension depends on “oldcore 8.4” and I’m wondering if this causes the errors…

An other option would be SAML, but I can’t see any extension for that, that is not several years old.

How should I proceed?
Thanks for any help!

This is just the minimum version, it does not install it since you already have it in a more recent version.

throws a lot of errors

What kind of errors ?

Ok, the message in the installer can be misleading to a newbie.

Nevermind, somehow the problem was resolved when I tried again. I also did an update of the Docker image from 10.8 to 10.8.1. I still see some errors in the log on startup, but I guess these are unrelated.

Now I am stuck at a different point: I set up the oidc endpoints and the auth request seems to work fine, but XWiki sets the redirect_uri to https://domain.com:80/oidc/authenticator/callback. So after sending the login I get an error in the browser, because port 80 is accessed in SSL context.

Could this be related to my setup? I’m running the XWiki docker container behind an nginx reverse proxy.

Yes those logs are warnings about encoding on tomcat. See https://jira.xwiki.org/browse/XWIKI-14635

Thank you for pointing that out. This is indeed one of the errors I see in my logs, but I also have:

[Core extension repository updater] ERROR aultExtensionRepositoryManager - Unexpected error when trying to find extension [com.google.code.findbugs:annotations/api] in repository [store.xwiki.com:xwiki:https://store.xwiki.com/xwiki/rest]

and another 3 or 4 warnings.

Would be interesting to see the full log of those errors.

Sure, to not mess up this thread I created a new one and uploaded the log: https://forum.xwiki.org/t/errors-and-warnings-in-logfile/3764

Could you check what the following:

Secure (SSL) is set to -1 and Port is set to 80 in the descriptor.

xwiki.home was unset. I now set it to https://domain.com and I also set xwiki.url.protocol=https.
With these changes the login via Keycloak is now working.

First I tried with xwiki.home=https://domain.com/(note the ‘/’ at the end), which caused a malformed redirection URL. So it is important to remove the trailing slash.

Is this documented somewhere? Can this be added to the docs of the OIDC extension?
And what about the descriptor settings? Should I change them, too? If yes, how?

Thank you for helping me out. I will probably come back with more questions. :wink:

I think that’s your issue. The URL was generated based on the request URL and the port indicated in the descriptor (I fixed XWIKI-15757 to make this mix impossible even by mistake).

I now set it to https://domain.com and I also set xwiki.url.protocol=https.
With these changes the login via Keycloak is now working.

You should not use those properties IMO.
In recent versions it’s usually better and easier to maintain to configure the wiki descriptor properly. So for you:

  • set the right domain
  • enable HTTPS (secure)
  • don’t put any explicit port since you want default https port

It does not really have much to do with the OIDC authenticator, what was broken was the standard external URL generation and you would have had similar issues with other features.

Unfortunately this doesn’t work. I tried setting up the descriptor properly, but I still get the wrong URLs redirecting to port 80. Therefore I will keep the settings in xwiki.cfg for now.

What configuration do you have exactly and what wrong URL do you end up with and in which context ?

I think I have given most of the information above. Unfortunately I currently do not have the time to revert my (working!) settings in xwiki.cfg and edit the descriptor again just for testing.
I’m trying to get XWiki up and running to a state that is more or less suitable for production and I’m afraid there might be other pitfalls coming up during configuration…

Now, I’m trying to sync the user groups between Keycloak and XWiki via OIDC. I set oidc.userinfoclaims=xwiki_groups,xwiki_user_email and create the mapping in Keycloak for xwiki_groups.

So far it doesn’t work and when I turn on the debug logs in the OIDC extension, I see that updateXWikiClaims() is executed, but syncXWikiGroupsMembership is not.

Ok, I think my Keycloak setup was wrong. The group assignment is working now.