This is an old revision of the document!

Dokuwiki authentication against Keycloak

plugin: oAuth

adding group mapping:
Mapper Type: “group membership”
Token Claim Name: “groups”
Full group paths: off
Add to id token: off
Add to access token: off
Add to userinfo: on

Discussion

Shuki, 2020/02/03 11:05

Two additions:

Automatic user-registration without manually enabled registration seems to be possible, at least when I add
```
$conf['plugin']['oauth']['register-on-auth'] = 1;
```
to my local.php, it works just fine without enabling option to register
To make my Keycloak-roles work in Dokuwiki I had to create a different mapper than stated here, that is:
1. click Create
2. Mapper Type: “User Realm Role”
3. Name: groups
4. Token Claim Name: groups
5. Claim JSON Type: String
6. Add to ID-Token: yes
7. Add to access-Token: yes
8. Add to userinfo: yes

L, 2021/11/19 15:59

Hm, @Shuki's mapper didnt work for me. But using the one from the documentation doesn't seem to show me the users belonging to the groups in the Users admin page.

Kevin sterckx, 2020/05/03 16:33

Hi,
i followed the instructions on this page and it still is not working.
i get the error: Your (re)login has failed.
In the browser I get this return: http://192.168.1.48:81/doku.php?error=invalid_request&error_description=Invalid+scopes%3A+

Could you guys help me with a fix?
Tnx!

Jan, 2020/05/19 12:40

It seems to be an issue with Keycloak 10.
https://github.com/cosmocode/dokuwiki-plugin-oauth/issues/89

I will try the fix mentioned by YoitoFes on Github:

I modified Keycloak service's scripts as follows by imitating an other service's one and login works well.

— phpoauthlib/src/OAuth/OAuth2/Service/Keycloak.php.bak
+++ phpoauthlib/src/OAuth/OAuth2/Service/Keycloak.php

   @@ -13,6 +13,10 @@

   class Keycloak extends Generic
   {
   +    const SCOPE_OPENID           = 'openid';
   +    const SCOPE_PROFILE          = 'profile';
   +    const SCOPE_EMAIL            = 'email';
   +
   protected function getAuthorizationMethod()
   {
       return static::AUTHORIZATION_METHOD_HEADER_BEARER;

— classes/KeycloakAdapter.php.bak
+++ classes/KeycloakAdapter.php

   @@ -2,6 +2,8 @@

   namespace OAuth\Plugin;

   +use OAuth\OAuth2\Service\Keycloak;
   +
   /**
   * Class KeycloakAdapter
   *
   @@ -39,6 +41,10 @@
       return $data;
   }

   +    public function getScope() {
   +        return array(Keycloak::SCOPE_OPENID, Keycloak::SCOPE_PROFILE, Keycloak::SCOPE_EMAIL);
   +    }
   +
   /**
    * We make use of the Keycloak oauth2 service (slightly abstracted from "Generic") as defined in
    * phpoauthlib/src/OAuth/OAuth2/Service/Keycloak.php

Since I'm not familiar with OAuth2 protocol and the implementation of this plugin, I'm not sure this modification is correct.

Jan, 2020/05/19 13:59

I tested this and login with Keycloak is now working for me!

Dan, 2020/05/28 14:26

I had the same symptoms, so I implemented to my local DokuWiki php files the 2 code changes specified above. After that everything works.

Note that the 'groups' membership data in the original post is what worked for me, not that in the first comment by Shuki.

The pull request mentioned was merged on 26/05/2020, but I'm not sure how long that will take to reach downstream implementations (such as Turnkey, like I use). In the meantime the code change is relatively easy to make oneself.

Timo, 2020/09/16 07:11

Does anyone know is it possible to use Keycloak user attributes on DokuWiki with oAuth? Can I pass some other attributes in similar way as groups mapper?

The problem is that we have customer numbers stored in keycloak user attributes and now wondering how to get those to Dokuwki iframe urls.

You could leave a comment if you were logged in.