xWiki default REST API with JWT token sending for authentication

Hello Devs,

I would like to use the xWiki default REST API to be able to authenticate users via a REST API and perform operations on the Wiki (using OIDC and Oauth2 and JWT tokens).

I have read all the documentation but whenever I try to make requests to the Wiki through the API with Tokens, it always says: “401: User needs to be authenticated”. It only works with Basic authentication.

So I would like to develop a new Plug In to enable this functionality in the Wiki.
Is this already possible? Any information about this?

Any info appreciated!

1 Like

This is already possible with the OICD connect provider. You can find some code using this in the Nextcloud integration for XWiki. Does that fulfill your needs?

Yes, thank you very much for replying.

I only have one doubt left, I can’t fully understand the OpenID Connect Provider documentation.

If third party OIDCs are used, such as Keycloak, would this still be possible?

As I understand, with the OpenID Connect Provider extension it is only xWiki that generates the tokens, isn’t it?

Yes, that’s also my understanding, but maybe @tmortagne could confirm this. My understanding is that, nevertheless, you could still generate such tokens for users that would normally authenticate using OIDC.

1 Like

Yes. The point of this module is to use XWiki as an OIDC provider, being able to reuse the generated access tokens to access any resource (and not just access the userinfo endpoint during the authentication) is more of a bonus feature. It’s technically possible to use it just for this feature, but there is no UI to manage the tokens right now, so you will have to use some scripting.

1 Like

So the Wiki only understands tokens generated by the Wiki itself, so it will not understand tokens generated by Keycloak for example, right?

It’s not really related to who generated the token (it’s a pretty standard JWT OIDC token), but to who holds the token. There is simply no feature right now in the XWiki OIDC Authenticator to validate tokens with the configured provider, as I said it’s an XWiki OIDC Provider feature so it’s obviously not going to ask another provider to validate the token.

I understand that this is an OIDC Provider feature, but it would be very useful to be able to access the REST API using oidc tokens. Maybe this could be implemented in a future version?

@tmortagne I figured out that a subwiki for specific users generates a different token than the main wiki at the same time. This means that if User A accesses /xwiki/bin/view/Main/, I receive a different token than when accessing /xwiki/wiki/testsubwiki/view/Main/ with the same user at the same time. How is this possible?

It’s not very clear to me how exactly you are getting the tokens you are mentioning. Are you talking about the access token which is generated when you authenticate using XWiki as OIDC provider ?

@tmortagne
I sent a get request with basic.auth to : xwiki/wiki/testsubwiki/view/Main/ and got :
data-xwiki-form-token=“Txxxxxxxxxxxxxxxxxxxxxxxxxxxg” , data-xwiki-user-reference=“xwiki:XWiki.admin”
and sent a get request to : xwiki/bin/view/Main/ and got :
data-xwiki-form-token=“AxxxxxxxxxxxxxxxxxxxxxxxxxxxF” , data-xwiki-user-reference=“xwiki:XWiki.admin”

Is this the correct way to get an access token? And why are different tokens generated for the same user?

OK, this has actually nothing to do with the type of tokens discussed in that thread :slight_smile: Those are CSRF tokens that one can use in some specific APIs of XWiki, and it cannot be used to authenticate.

Once you installed the OIDC Provider, there are two ways to get bearer access tokens:

  • through an OIDC authentication (the Relying Party obtains an access token from the provider, used among other things to access the userinfo endpoint)
  • through the new UI (located in the user profile → Applications) allowing any user to create a token allowing some application to authenticate on XWiki as this user

You might want to take a look at https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Provider/#HToken-basedaccess.