RMM DokuWiki

User Tools

Site Tools

You are here: start » linux_server_manuals » dokuwiki_authentication_against_keycloak
linux_server_manuals:dokuwiki_authentication_against_keycloak

Table of Contents

Dokuwiki authentication against Keycloak

There exists basically no documentation about how to do that proberly, and also the error messages from the plugin, are not helping in any way…

So to get the whole thing working:

Keycloak Config

Add a new client with following settings:
Client ID: dokuwiki
Client Protocol: openid-connect

Then edit the new adapter settings
Access Type: confidential
Valid Redirect URLS: https://example.com/* (Or wherever dokuwiki is stored)

Save and then go to the newly appeard tab “credentials”.
Set Client Authenticator to “Client id and secret” and copy the secret.

If you want dokuwiki to know about the groups keycloak assigns to the users, go to the tab “Mappers”, then click “create”.
Set following attributes:
Name: groups
Mapper Type: “group membership”
Token Claim Name: “groups”
Full group paths: off
Add to id token: off
Add to access token: off
Add to userinfo: on

Then save.

DokuWiki Config

Install the plugin “oAuth”.

  • In the version “2016-10-25” you need to enable user registration in dokuwiki, otherwise users, which never authenticated in dokuwiki, can't login. There is a pull request which solves that, hopefully it will be integrated in future versions.
  • Users need to have an e-mail address set in keycloak. Otherwise Dokuwiki will refuse to let them authenticate.

Then setup oAuth plugin (in gui or config file). Replace {realm-name} with the name of your realm. The urls are obviously pointing to your keycloak installation. If you've chosen a different keycloak-cliend-id than “dokuwiki”, then set it in “keycloak-key”: 

$conf['plugin']['oauth']['keycloak-key'] = 'dokuwiki';
$conf['plugin']['oauth']['keycloak-secret'] = 'The secret which we copied from keycloak';
$conf['plugin']['oauth']['keycloak-authurl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/auth';
$conf['plugin']['oauth']['keycloak-tokenurl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/token';
$conf['plugin']['oauth']['keycloak-userinfourl'] = 'https://example.com/auth/realms/{realm-name}/protocol/openid-connect/userinfo';
$conf['plugin']['oauth']['singleService'] = 'Keycloak';

Discussion

Shuki, 2020/02/03 11:05

Two additions:

  1. Automatic user-registration without manually enabled registration seems to be possible, at least when I add 
    $conf['plugin']['oauth']['register-on-auth'] = 1;

    to my local.php, it works just fine without enabling option to register

  2. To make my Keycloak-roles work in Dokuwiki I had to create a different mapper than stated here, that is:
    1. click Create
    2. Mapper Type: “User Realm Role”
    3. Name: groups
    4. Token Claim Name: groups
    5. Claim JSON Type: String
    6. Add to ID-Token: yes
    7. Add to access-Token: yes
    8. Add to userinfo: yes
L, 2021/11/19 15:59

Hm, @Shuki's mapper didnt work for me. But using the one from the documentation doesn't seem to show me the users belonging to the groups in the Users admin page.

Kevin sterckx, 2020/05/03 16:33

Hi,
i followed the instructions on this page and it still is not working.
i get the error: Your (re)login has failed.
In the browser I get this return: http://192.168.1.48:81/doku.php?error=invalid_request&error_description=Invalid+scopes%3A+

Could you guys help me with a fix?
Tnx!

Jan, 2020/05/19 12:40

It seems to be an issue with Keycloak 10.
https://github.com/cosmocode/dokuwiki-plugin-oauth/issues/89

I will try the fix mentioned by YoitoFes on Github:

I modified Keycloak service's scripts as follows by imitating an other service's one and login works well.

— phpoauthlib/src/OAuth/OAuth2/Service/Keycloak.php.bak
+++ phpoauthlib/src/OAuth/OAuth2/Service/Keycloak.php 

   @@ -13,6 +13,10 @@
   class Keycloak extends Generic
   {
   +    const SCOPE_OPENID           = 'openid';
   +    const SCOPE_PROFILE          = 'profile';
   +    const SCOPE_EMAIL            = 'email';
   +
   protected function getAuthorizationMethod()
   {
       return static::AUTHORIZATION_METHOD_HEADER_BEARER;

— classes/KeycloakAdapter.php.bak
+++ classes/KeycloakAdapter.php 

   @@ -2,6 +2,8 @@
   namespace OAuth\Plugin;
   +use OAuth\OAuth2\Service\Keycloak;
   +
   /**
   * Class KeycloakAdapter
   *
   @@ -39,6 +41,10 @@
       return $data;
   }
   +    public function getScope() {
   +        return array(Keycloak::SCOPE_OPENID, Keycloak::SCOPE_PROFILE, Keycloak::SCOPE_EMAIL);
   +    }
   +
   /**
    * We make use of the Keycloak oauth2 service (slightly abstracted from "Generic") as defined in
    * phpoauthlib/src/OAuth/OAuth2/Service/Keycloak.php

Since I'm not familiar with OAuth2 protocol and the implementation of this plugin, I'm not sure this modification is correct.

Jan, 2020/05/19 13:59

I tested this and login with Keycloak is now working for me!

Dan, 2020/05/28 14:26

I had the same symptoms, so I implemented to my local DokuWiki php files the 2 code changes specified above. After that everything works.

Note that the 'groups' membership data in the original post is what worked for me, not that in the first comment by Shuki.

The pull request mentioned was merged on 26/05/2020, but I'm not sure how long that will take to reach downstream implementations (such as Turnkey, like I use). In the meantime the code change is relatively easy to make oneself.

Timo, 2020/09/16 07:11

Does anyone know is it possible to use Keycloak user attributes on DokuWiki with oAuth? Can I pass some other attributes in similar way as groups mapper?

The problem is that we have customer numbers stored in keycloak user attributes and now wondering how to get those to Dokuwki iframe urls.

You could leave a comment if you were logged in.
linux_server_manuals/dokuwiki_authentication_against_keycloak.txt · Last modified: 2018/01/31 16:39 by ronney