Xwiki role mapping from keycloak instead of groups

DanielN · May 8, 2023, 9:45am

Hi,

this is my question, I’m planning to use my realm to connect several apps, and I don’t have a very specific filter for my groups in my ldap federation due to this. I don’t want xwiki to create all the groups keycloak would sent to it, and I’ve mapped specific groups to client roles.

The format Xwiki is getting that info from keycloak is this.

“resource_access”: {
“client_id”: {
“roles”: [
“editor”,
“admin”
]
}

But I’m struggling to get that data recognized in Xwiki, does it have native role recognition, if not, how could I map these roles to user groups?

Thank you.

jwielsch · May 10, 2023, 8:07am

As far as I know, XWiki does not natively support mapping OIDC roles to XWiki groups.

But perhaps you can achieve this functionality by writing a custom authenticator. But that is far beyond my understanding and ability.

My recommendation would be to organize the groups in ldap, sync them with Keycloak and then have Keycloak create the groups in XWiki and assign permissions on those very groups.

DanielN · May 10, 2023, 9:06am

Yes, that is what I’m trying.

Following the doc

#-# The name of the claim used to get the list of groups the user belong to.
#-# This claim also need to be listed in oidc.userinfoclaims which control if group membership synchronization is enabled or not.
#-# 
#-# It's also possible to use a custom property from the userinfo JSON.
#-# For example if the provider send the following JSON for the user info:
#-# {
#-#   "sub"                : "248289761001",
#-#   "name"               : "Jane Doe",
#-#   "given_name"         : "Jane",
#-#   "family_name"        : "Doe",
#-#   "preferred_username" : "j.doe",
#-#   "email"              : "janedoe@example.com",
#-#   "picture"            : "http://example.com/janedoe/me.jpg"
#-#   "customoject"        :
#-#   {
#-#     "customgroups"   :  ["group1", "group2"]
#-#   }
#-# }
#-# you can use:
# oidc.groups.claim=customoject.customgroups
#-#

I have

oidc.groups.claim=resource_access.client_id.roles, to map these role names as groups, but it doesn’t work for me.

DanielN · May 10, 2023, 9:14am

Ok, I got it,

same exact path should be defined in ‘oidc.userinfoclaims’ like
oidc.userinfoclaims=resource_access.xwiki_auth.roles,profile,email