OIDC - Allowed Groups / Prefix

Hi,
I hope you can help me - I’d like to switch our authentication to OIDC over entra. Working fine for “standard”-users incl. group-mapping.
But now in the last configs, I don’t come further.

At first, I’d like to limit the logins to a certain group, but this is ignored. (our group-Names look like “XWiki-xxx”)

I’ve added to xwiki.properties (with x on end to disable “all” logins):

oidc.groups.allowed=XWiki-Wissensportalx

And all I get in the logs is:

 DEBUG o.x.c.o.a.i.OIDCUserManager    - Updating XWiki claims
 DEBUG o.x.c.o.a.i.OIDCUserManager    - Getting groups sent by the provider associated with claim [groups]
 DEBUG o.x.c.o.a.i.OIDCUserManager    - Groups claim not found in userInfo token. Trying idToken
 DEBUG o.x.c.o.a.i.OIDCUserManager    - The provider sent the following groups: ["XWiki-BAZ","XWiki-HR","XWiki-BW","XWiki-Ideenbox","XWiki-Technik","XWiki-DWH","XWiki-BCM","XWiki-ZBSMBT","XWiki-Lehrlingsausbilder","XWiki-Wissensportal","XWiki-Finance_Controlling","XWiki-BW-LVS","XWiki-Wissensportal-EDVA","XWiki-PM","XWiki-HR-Laender","XWiki-Projekte-FinCo"]
 DEBUG o.x.c.o.a.i.OIDCUserManager    - Updating group membership for the user [XWiki.gerd\.schnoetzinger@xxxxxxx\.com]
 DEBUG o.x.c.o.a.i.OIDCUserManager    - The user belongs to following XWiki groups: [XWiki.XWiki-Wissensportal-EDVA, XWiki.XWikiAllGroup, XWiki.XWiki-HR-Laender, XWiki.XWiki-Wissensportal, XWiki.XWiki-HR, XWiki.XWiki-Ideenbox, XWiki.XWiki-PM, XWiki.XWiki-Projekte-FinCo, XWiki.XWiki-Technik, XWiki.XWiki-BCM, XWiki.XWiki-BW-LVS, XWiki.XWiki-DWH, XWiki.XWiki-BW, XWiki.XWiki-Finance_Controlling, XWiki.XWiki-BAZ, XWiki.XWiki-ZBSMBT, XWiki.XWiki-Lehrlingsausbilder]

It’s just ignored - no error that the user isn’t in this group.

And second, I’d like to limit the groups we’ve got, because all of them were created automatically which I didn’t like. So I’ve set:

oidc.groups.prefix=XWiki

but now, I’ll get this error:

javax.servlet.ServletException: Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:161)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
	org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)

Root Cause

org.xwiki.resource.ResourceReferenceHandlerException: Failed to handle http servlet request
	org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110)
	org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
	org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
	org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)

Root Cause

java.lang.NullPointerException: Cannot invoke "java.util.List.stream()" because "providerGroups" is null
	org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.checkAllowedGroups(OIDCUserManager.java:228)
	org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUser(OIDCUserManager.java:299)
	org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUserInfo(OIDCUserManager.java:213)
	org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUserInfo(OIDCUserManager.java:181)
	org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:248)
	org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:134)
	org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:108)
	org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
	org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
	org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
	org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
	org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
	org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
	org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)

in catalina.out, i see the sucessfule OIDC user info response, and after this, this error shows (on favicon.ico??)

[2024-04-11 13:14:01] [info] 2024-04-11 13:14:01,698 [https-openssl-apr-8443-exec-8 - https://xwiki-dev.xxxxxx.com:8443/favicon.ico] ERROR .o.i.DefaultObservationManager - Failed to send event [class org.xwiki.bridge.event.ActionExecutedEvent (view)] to listener [com.xpn.xwiki.stats.impl.XWikiStatsServiceImpl@6282f455]
[2024-04-11 13:14:01] [info] java.lang.IllegalStateException: Cannot create a session after the response has been committed
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.connector.Request.doGetSession(Request.java:3060)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.connector.Request.getSession(Request.java:2492)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
[2024-04-11 13:14:01] [info] #011at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:585)
[2024-04-11 13:14:01] [info] #011at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:244)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:585)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:529)
[2024-04-11 13:14:01] [info] #011at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:253)
[2024-04-11 13:14:01] [info] #011at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:253)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.stats.impl.StatsUtil.getRecentActionFromSessions(StatsUtil.java:281)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.stats.impl.XWikiStatsServiceImpl.onEvent(XWikiStatsServiceImpl.java:160)
[2024-04-11 13:14:01] [info] #011at org.xwiki.observation.internal.DefaultObservationManager.notify(DefaultObservationManager.java:338)
[2024-04-11 13:14:01] [info] #011at org.xwiki.observation.internal.DefaultObservationManager.notify(DefaultObservationManager.java:303)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:747)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108)
[2024-04-11 13:14:01] [info] #011at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
[2024-04-11 13:14:01] [info] #011at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:711)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:385)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:313)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.web.XWikiAction.redirectSpaceURLs(XWikiAction.java:1171)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:509)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
[2024-04-11 13:14:01] [info] #011at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:108)
[2024-04-11 13:14:01] [info] #011at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
[2024-04-11 13:14:01] [info] #011at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:117)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:711)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:385)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:313)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:403)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:249)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
[2024-04-11 13:14:01] [info] #011at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359)
[2024-04-11 13:14:01] [info] #011at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
[2024-04-11 13:14:01] [info] #011at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
[2024-04-11 13:14:01] [info] #011at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889)
[2024-04-11 13:14:01] [info] #011at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2128)
[2024-04-11 13:14:01] [info] #011at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[2024-04-11 13:14:01] [info] #011at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
[2024-04-11 13:14:01] [info] #011at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
[2024-04-11 13:14:01] [info] #011at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[2024-04-11 13:14:01] [info] #011at java.base/java.lang.Thread.run(Thread.java:840)

Can you please help here, what I’m doing wrong? If you need more information, please let me know.

Thanks,
Gerd

3 posts - 2 participants

Read full topic