Hi,
I’ve been tasked with setting up xwiki so that authentication is done through an external system (Moodle).
I found the OpenID Connect extension for xwiki, which looks like what I need.
However, from the Moodle side there is no specific OpenID Connect plugin, the closest thing I’ve been able to find is an oauth authentication plugin: GitHub - projectestac/moodle-local_oauth: OAuth Server for Moodle 2
I am trying to see if it is possible to make these work together, but having never done this sort of thing before, i’m running into problems and I’m not sure if it’s even going to be possible.
I have set the oidc.xwikiprovider value to the moodle site oauth plugin, and on attempting to login to xwiki I am indeed redirected to Moodle and I can see that the following parameters are being submitted from xwiki:
array (size=6)
'claims' => string '{"id_token":{"xwiki_instance_id":null},"userinfo":{"xwiki_user_accessibility":null,"xwiki_user_displayHiddenDocuments":null,"xwiki_user_editor":null,"xwiki_user_usertype":null,"xwiki_user_company":null}}' (length=203)
'response_type' => string 'code' (length=4)
'redirect_uri' => string 'http://mysite:8080/xwiki/oidc/authenticator/callback' (length=59)
'state' => string 'va_NINc5H6kQz059dmobjKtAogJUc_FMCslK4wINpqY' (length=43)
'client_id' => string 'xwiki' (length=5)
'scope' => string 'openid profile email address phone'
However, this is failing and being sent back to xwiki with the error from the moodle plugin: invalid_scope
It appears that the moodle plugin is expecting a scope of “user_info” but xwiki is passing through “openid profile email address phone”, and I just cannot find anywhere of changing that in the configuration.
Is it possible to change the scopes that the xwiki OpenID Connect extension is asking for?
I’ve done a bit of research and I think I’m right in saying the scope values are standard in OpenID Connect, so I’m not sure passing through a different value will work anyway…?
Additionally, I’m unsure what - if anything - I need to put into the configuration settings:
# oidc.endpoint.authorization=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/authorization
# oidc.endpoint.token=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/token
# oidc.endpoint.userinfo=https://xwikiorg-node1.xwikisas.com/xwiki/oidc/userinfo
Has anyone had any experience trying to do this sort of thing? Is it just not going to work with the OpenID Connect extension, if the other system can’t be setup to be an actual idp, and is just expecting a standard oauth2 workflow?
(If some of that doesn’t make any sense, it’s because I’m not really sure what I’m doing…)
I can provide more info if necessary.
Thanks.