====== Dokuwiki authentication against Keycloak ======

There exists basically no documentation about how to do that proberly, and also the error messages from the plugin, are not helping in any way...

So to get the whole thing working:

===== Keycloak Config =====

Add a new client with following settings:
**Client ID**: dokuwiki
**Client Protocol**: openid-connect

Then edit the new adapter settings
**Access Type**: confidential
**Valid Redirect URLS**: https://example.com/*  (Or wherever dokuwiki is stored)

Save and then go to the newly appeard tab "credentials".
Set **Client Authenticator** to "Client id and secret" and copy the **secret**.

If you want dokuwiki to know about the groups keycloak assigns to the users, go to the tab "Mappers", then click "create".
Set following attributes:
**Name**: groups
**Mapper Type**: "group membership"
**Token Claim Name**: "groups"
**Full group paths**: off
**Add to id token**: off
**Add to access token**: off
**Add to userinfo**: on

Then save.

===== DokuWiki Config =====

Install the plugin "oAuth".
<WRAP center round tip 60%>
  * In the version "2016-10-25" you need to enable user registration in dokuwiki, otherwise users, which never authenticated in dokuwiki, can't login. There is a [[https://github.com/cosmocode/dokuwiki-plugin-oauth/pull/43|pull request]] which solves that, hopefully it will be integrated in future versions.
  * Users need to have an e-mail address set in keycloak. Otherwise Dokuwiki will refuse to let them authenticate.
</WRAP>


Then setup oAuth plugin (in gui or config file). Replace {realm-name} with the name of your realm. The urls are obviously pointing to your keycloak installation. If you've chosen a different keycloak-cliend-id than "dokuwiki", then set it in "keycloak-key":

<file>
$conf['plugin']['oauth']['keycloak-key'] = 'dokuwiki';
$conf['plugin']['oauth']['keycloak-secret'] = 'The secret which we copied from keycloak';
$conf['plugin']['oauth']['keycloak-authurl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/auth';
$conf['plugin']['oauth']['keycloak-tokenurl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/token';
$conf['plugin']['oauth']['keycloak-userinfourl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/userinfo';
$conf['plugin']['oauth']['singleService'] = 'Keycloak';
</file>