xWiki default REST API with JWT token sending for authentication

galRen · February 4, 2024, 5:30pm

Hello Devs,

I would like to use the xWiki default REST API to be able to authenticate users via a REST API and perform operations on the Wiki (using OIDC and Oauth2 and JWT tokens).

I have read all the documentation but whenever I try to make requests to the Wiki through the API with Tokens, it always says: “401: User needs to be authenticated”. It only works with Basic authentication.

So I would like to develop a new Plug In to enable this functionality in the Wiki.
Is this already possible? Any information about this?

Any info appreciated!

MichaelHamann · February 5, 2024, 9:45am

This is already possible with the OICD connect provider. You can find some code using this in the Nextcloud integration for XWiki. Does that fulfill your needs?

galRen · February 6, 2024, 4:56pm

Yes, thank you very much for replying.

I only have one doubt left, I can’t fully understand the OpenID Connect Provider documentation.

If third party OIDCs are used, such as Keycloak, would this still be possible?

As I understand, with the OpenID Connect Provider extension it is only xWiki that generates the tokens, isn’t it?

MichaelHamann · February 6, 2024, 5:02pm

Yes, that’s also my understanding, but maybe @tmortagne could confirm this. My understanding is that, nevertheless, you could still generate such tokens for users that would normally authenticate using OIDC.

tmortagne · February 6, 2024, 7:58pm

Yes. The point of this module is to use XWiki as an OIDC provider, being able to reuse the generated access tokens to access any resource (and not just access the userinfo endpoint during the authentication) is more of a bonus feature. It’s technically possible to use it just for this feature, but there is no UI to manage the tokens right now, so you will have to use some scripting.

galRen · February 7, 2024, 5:18pm

So the Wiki only understands tokens generated by the Wiki itself, so it will not understand tokens generated by Keycloak for example, right?

tmortagne · February 8, 2024, 8:03am

It’s not really related to who generated the token (it’s a pretty standard JWT OIDC token), but to who holds the token. There is simply no feature right now in the XWiki OIDC Authenticator to validate tokens with the configured provider, as I said it’s an XWiki OIDC Provider feature so it’s obviously not going to ask another provider to validate the token.