Authentication broken

[CamiAndrei]

When upgrading from v1.9 to v2.0, the authentication breaks.
Configuration pages are deleted, not migrated to new authentication configuration.

It's a blocked issue for users with autoupgrade enabled.

Caused by 48: Replace identity-oauth use with OIDC

[ChiuchiuSorin]

Could you provide more info regarding how the authentication breaks? What configuration is used and more specific, what authentication breaks means?

[CamiAndrei]

XWiki login is displayed instead of the Azure login, and authentication is not possible anymore for the users that use this type of authentication.
During the upgrade from version 1.9. to version 2.0. (Autoupgrade will resolve this automatically):

These pages appear as deleted after the upgrade:

Administration display after upgrade

This type of login doesn't work anymore; only XWiki login works.

[ChiuchiuSorin]

The new configuration page is Entra ID:

Moreover, the authentication service needs to be modified to OpenID Connect Authenticator (see Selecting the right Authentication service).

[ChiuchiuSorin]

Also, the login options have been modified. Now, the login option directly redirects to the Microsoft login page and a new option was added in the drawer for XWiki login (see Login options). There are also some known limitations that you can find bellow in the documentation. Let me know if the documentation solves these issues!

[petrenkonikita112263]

@ChiuchiuSorin shouldn't page Azure AD be removed from Wiki Administration, because it's empty after installing Entra ID app v2.0 on clean instance?

[ChiuchiuSorin]

The old configuration page was kept for compatibility purposes, as some of the old configuration is used to populate the new configuration page at update. It will be removed once more users update to the 2.x version.

[rsssssssssssss]

Also have issues after upgrade, authentication service is set to "OpenID Connect Authenticator" but there is no new login options and users aren´t redirected to Entra ID.

Also all settings at "Entra ID" have been updated.

When accesing the base URL we either get the guest auth prompt or the xwiki login.

[ChiuchiuSorin]

Hi! Could you please tell me what version of XWiki are you using?
Also, what do you mean by guest auth prompt?

[petrenkonikita112263]

@rsssssssssssss

It might be helpful to double-check if everything has been set up according to the official documentation.

I'd suggest checking set-up on your Microsoft side especially this part

Please note that on GitHub you are welcome to join discussions and report issues. However, in case if you're having issue with purchased the extension, your license includes a support contract for professional help XWiki SAS.

[rsssssssssssss]

We are running 16.10.5.

Double-checked the configuration from the official documentation but the issue is that it doesn´t even try to redirect to Entra ID and we are missing login-in options. We only have "Log in with XWiki".

[petrenkonikita112263]

@rsssssssssssss the login and registration button were moved from drawer since XWiki 16.10+ (see details).

[petrenkonikita112263]

I managed to fully reproduce the case. Below are the detailed steps, results, and resolution.
Note: The issue only occurs when upgrading from an older version to version 2.0.

Prerequisites:

• Ensure you have a registered application on the Microsoft Entra ID side.

Steps performed by me:

1. Used XWiki 16.10+ (in this case XWiki 16.10.5)
2. As an Admin user, installed Microsoft Entra ID OpenID Connect (OIDC) v1.9
3. Obtained trial license
4. Performed check for updates from "XWiki.ExtensionUpdater" and install v2.0 (ensure you select all pages when prompted by the Extension Manager)
5. Visited EntraID section and pass secret, client id and tenant id, saved changes
6. Visited Authentication section and selected OpenID Connect Auth, saved changes
7. Logout from XWiki
8. Attempted to log in using the login button on the login page

Instead of being redirected to the Microsoft login page, I returned to the XWiki login page.
Additionally, the following error appears in the logs:

Caused by: java.lang.IllegalArgumentException: The scope must include an "openid" value
        at com.nimbusds.openid.connect.sdk.AuthenticationRequest$Builder.<init>(AuthenticationRequest.java:411)
        at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.authenticate(OIDCAuthServiceImpl.java:249)
        at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.showLoginOIDC(OIDCAuthServiceImpl.java:166)
        at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuthOIDC(OIDCAuthServiceImpl.java:137)
        at org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl.checkAuth(OIDCAuthServiceImpl.java:92)
        ... 71 common frames omitted

If you revisit the Entra ID configuration section, you’ll notice that the scope field contains incorrect values brought in during the upgrade operation.

You can confirm this by checking the page history for EntraID.Code.EntraOIDCClientConfiguration — the changes to the Scope field were introduced during the upgrade:

Location in source file

integration-azure-oauth/ui/src/main/resources/AzureAD/AzureADConfig.xml

Line 176 in 4fdb8bd

<scope>openid User.Read User.ReadBasic.All</scope>

Once I removed all values from scope and put only openid,profile,email,address login is correctly redirected to the Microsoft login page.