RMM DokuWiki

User Tools

Site Tools

You are here: start » linux_server_manuals » dokuwiki_authentication_against_keycloak
linux_server_manuals:dokuwiki_authentication_against_keycloak

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux_server_manuals:dokuwiki_authentication_against_keycloak [2018/01/31 15:28] – created ronneylinux_server_manuals:dokuwiki_authentication_against_keycloak [2018/01/31 16:39] (current) – [DokuWiki Config] ronney
Line 1: Line 1:
 ====== Dokuwiki authentication against Keycloak ====== ====== Dokuwiki authentication against Keycloak ======
  
-plugin: oAuth+There exists basically no documentation about how to do that proberly, and also the error messages from the plugin, are not helping in any way... 
 + 
 +So to get the whole thing working: 
 + 
 +===== Keycloak Config ===== 
 + 
 +Add a new client with following settings: 
 +**Client ID**: dokuwiki 
 +**Client Protocol**: openid-connect 
 + 
 +Then edit the new adapter settings 
 +**Access Type**: confidential 
 +**Valid Redirect URLS**: https://example.com/ (Or wherever dokuwiki is stored) 
 + 
 +Save and then go to the newly appeard tab "credentials"
 +Set **Client Authenticator** to "Client id and secret" and copy the **secret**. 
 + 
 +If you want dokuwiki to know about the groups keycloak assigns to the users, go to the tab "Mappers", then click "create"
 +Set following attributes: 
 +**Name**: groups 
 +**Mapper Type**: "group membership" 
 +**Token Claim Name**: "groups" 
 +**Full group paths**: off 
 +**Add to id token**: off 
 +**Add to access token**: off 
 +**Add to userinfo**: on 
 + 
 +Then save. 
 + 
 +===== DokuWiki Config ===== 
 + 
 +Install the plugin "oAuth". 
 +<WRAP center round tip 60%> 
 +  * In the version "2016-10-25" you need to enable user registration in dokuwiki, otherwise users, which never authenticated in dokuwiki, can't login. There is a [[https://github.com/cosmocode/dokuwiki-plugin-oauth/pull/43|pull request]] which solves that, hopefully it will be integrated in future versions. 
 +  * Users need to have an e-mail address set in keycloak. Otherwise Dokuwiki will refuse to let them authenticate. 
 +</WRAP> 
 + 
 + 
 +Then setup oAuth plugin (in gui or config file). Replace {realm-name} with the name of your realm. The urls are obviously pointing to your keycloak installation. If you've chosen a different keycloak-cliend-id than "dokuwiki", then set it in "keycloak-key": 
 + 
 +<file> 
 +$conf['plugin']['oauth']['keycloak-key'] = 'dokuwiki'; 
 +$conf['plugin']['oauth']['keycloak-secret'] = 'The secret which we copied from keycloak'; 
 +$conf['plugin']['oauth']['keycloak-authurl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/auth'; 
 +$conf['plugin']['oauth']['keycloak-tokenurl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/token'; 
 +$conf['plugin']['oauth']['keycloak-userinfourl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/userinfo'; 
 +$conf['plugin']['oauth']['singleService'] = 'Keycloak'; 
 +</file> 
  
-adding group mapping: 
-Mapper Type: "group membership" 
-Token Claim Name: "groups" 
-Full group paths: off 
-Add to id token: off 
-Add to access token: off 
-Add to userinfo: on 
linux_server_manuals/dokuwiki_authentication_against_keycloak.1517412533.txt.gz · Last modified: 2018/01/31 15:28 by ronney