I would like to use the xWiki default REST API to be able to authenticate users via a REST API and perform operations on the Wiki (using OIDC and Oauth2 and JWT tokens).
I have read all the documentation but whenever I try to make requests to the Wiki through the API with Tokens, it always says: “401: User needs to be authenticated”. It only works with Basic authentication.
So I would like to develop a new Plug In to enable this functionality in the Wiki.
Is this already possible? Any information about this?
Yes, that’s also my understanding, but maybe @tmortagne could confirm this. My understanding is that, nevertheless, you could still generate such tokens for users that would normally authenticate using OIDC.
Yes. The point of this module is to use XWiki as an OIDC provider, being able to reuse the generated access tokens to access any resource (and not just access the userinfo endpoint during the authentication) is more of a bonus feature. It’s technically possible to use it just for this feature, but there is no UI to manage the tokens right now, so you will have to use some scripting.
It’s not really related to who generated the token (it’s a pretty standard JWT OIDC token), but to who holds the token. There is simply no feature right now in the XWiki OIDC Authenticator to validate tokens with the configured provider, as I said it’s an XWiki OIDC Provider feature so it’s obviously not going to ask another provider to validate the token.
I understand that this is an OIDC Provider feature, but it would be very useful to be able to access the REST API using oidc tokens. Maybe this could be implemented in a future version?
@tmortagne I figured out that a subwiki for specific users generates a different token than the main wiki at the same time. This means that if User A accesses /xwiki/bin/view/Main/, I receive a different token than when accessing /xwiki/wiki/testsubwiki/view/Main/ with the same user at the same time. How is this possible?
It’s not very clear to me how exactly you are getting the tokens you are mentioning. Are you talking about the access token which is generated when you authenticate using XWiki as OIDC provider ?
@tmortagne
I sent a get request with basic.auth to : xwiki/wiki/testsubwiki/view/Main/ and got :
data-xwiki-form-token=“Txxxxxxxxxxxxxxxxxxxxxxxxxxxg” , data-xwiki-user-reference=“xwiki:XWiki.admin”
and sent a get request to : xwiki/bin/view/Main/ and got :
data-xwiki-form-token=“AxxxxxxxxxxxxxxxxxxxxxxxxxxxF” , data-xwiki-user-reference=“xwiki:XWiki.admin”
Is this the correct way to get an access token? And why are different tokens generated for the same user?
OK, this has actually nothing to do with the type of tokens discussed in that thread Those are CSRF tokens that one can use in some specific APIs of XWiki, and it cannot be used to authenticate.
Once you installed the OIDC Provider, there are two ways to get bearer access tokens:
through an OIDC authentication (the Relying Party obtains an access token from the provider, used among other things to access the userinfo endpoint)
through the new UI (located in the user profile → Applications) allowing any user to create a token allowing some application to authenticate on XWiki as this user
Those are CSRF tokens that one can use in some specific APIs of XWiki, and it cannot be used to authenticate.