There are situations when you need to have separate instances of XWiki but still want to share the users among them.
One idea is to rely on an external identity provider like LDAP and make those two instances of XWiki authenticate on the same LDAP server. But then you need to provide a way for users to modify their information on the reference LDAP server.
Another idea is to have one of the XWiki instances be the reference identity provider and let other XWiki instances authenticate against it and get users information from it. While you are at it, it would also be nice if it was easy for other kind of applications to authenticate on this XWiki instance. Those were the two main goals that led to the creation of a set of tools to use the OpenID Connect protocol in XWiki.
OpenID Connect
So what is OpenID Connect exactly?
The OpenID Connect reference website explains it well:
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and session management, when it makes sense for them.
See http://openid.net/connect/faq/ for a set of answers to Frequently Asked Questions about OpenID Connect.
Make XWiki an OpenID Connect provider
So all it takes to make XWiki an OpenID Connect provider is to install the dedicated extension.
- Go to Administer Wiki -> Add Extensions and search for OpenID Connect Provider
- Use Install on farm (you may need to to click the down arrow near Install button)
That's it, you made your XWiki instance an OpenID Connect provider.
Making another instance of XWiki use this OpenID Connect provider
Here we will install OpenID Connect Authenticator and configure it.
- Go to Administer Wiki -> Add Extensions and search for OpenID Connect Authenticator
- Use Install on farm (you may need to to click the down arrow near Install button)
- Edit the configuration file xwiki.cfg and uncomment and modify the value of property xwiki.authentication.authclass to be org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
- If you want to force user authentication on a specific XWiki instance you can also set the property oidc.xwikiprovider to https://myotherxwikiinstance.org/xwiki/oidc## (otherwise the authenticator asks the user what XWiki OpenID Connect provider he/she wants to use)
#-# See following endpoints properties if the provider is not an XWiki instance.
#-# If not indicated, it will be asked to the user.
oidc.xwikiprovider=https://myotherxwikiinstance.org/xwiki/oidc
- Restart XWiki so that the new authenticator is taken into account
When the user asks to login:
- the browser will be redirected to the provider which will
- authenticate the user (if not already done)
- ask if the authenticator is allowed to access user information (if not already granted)
- redirect to the authenticator
- the authenticator asks information about the user from the provider and updates or creates the local user profile
- the user is set as local current user
XWiki OpenID Connect project future
This project is still very young and welcomes testers and contributors, especially regarding compatibility with other OpenID Connect providers and clients.
You can find known issues, planned improvements and ideas on https://jira.xwiki.org/browse/OIDC and the sources on https://github.com/xwiki-contrib/oidc.
