Hello everybody!
We are currently evaluating the use of XWiki in our organization.
Unfortunately, we cannot proceed further due to login issues. We are running in RedHat Openshift.
My colleague has followed the configuration instructions mentioned here - OpenID Authentication with Keycloak (XWiki.org) and built the configuration in both XWiki and Keycloak. But, for some reason, we are getting the “redirect_uri is invalid” on KeyCloak’s after login redirection.
We have tried a few tricks mentioned in the comment section, but they didn’t make any effect. We are assuming the redirection URL specified in KeyCloak configuration is wrong.
Moreover, if we manually follow the specified endpoints in browser, xwiki shows the page for the content that doesn’t exist. Basically, we are not sure about the alternative option.
The currently configured redirect url is https://xwiki.83169.xxxxxxxx/xwiki/oidc/authenticator/callback (edited)
In case it is configured correctly, what else may cause such behavior?
Current fallback URLs we tried:
I will let the callback URL change from
https://xwiki.83169.our.domain/xwiki/oidc/authenticator/callback
to
https://xwiki.83169.our.domain/xwiki/data/oidc/authenticator/callback
or maybe just
https://xwiki.83169.our.domain/xwiki/data/oidc/
Xwiki.properties:
oidc.endpoint.authorization=https://user.our.domain/auth/realms/apa/protocol/openid-connect/auth
oidc.endpoint.token=https://user.our.domain/auth/realms/apa/protocol/openid-connect/token
oidc.endpoint.userinfo=https://user.our.domain/auth/realms/apa/protocol/openid-connect/userinfo
oidc.scope=openid,profile,email
oidc.endpoint.userinfo.method=GET
oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
oidc.user.subjectFormater=${oidc.user.subject}
# oidc.groups.claim=xwiki_groups
# oidc.groups.mapping=MyXWikiGroup=my-oidc-group
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group2
# oidc.groups.mapping=MyXWikiGroup2=my-oidc-group3
# oidc.groups.allowed=
# oidc.groups.forbidden=
oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype
# oidc.userinforefreshrate=600000
oidc.clientid=xwiki
oidc.secret=57e476c4-@@@@-@@@@-@@@@-f3a33733f956
oidc.endpoint.token.auth_method=client_secret_post
oidc.skipped=false
Xwiki.cfg:
#xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
And we are also tried oidc.endpoint.token.auth_method=client_secret_post
and
oidc.endpoint.token.auth_method=client_secret_basi
And my colleague also tried some of the stuff else, but we have no luck for now.
The second question - can we keep both xwiki login and keycloak login?
Thank you for any assistance!