Duplicate this plugin for OIDC and AzureAD
Opened this issue · 9 comments
Hi,
Could you duplicate two different copies of this plugin for OIDC and AzureAD please?
They both use OIDC.
More info here: cosmocode/dokuwiki-plugin-oauth#108 (comment)
Thank you,
Since I have no Azure AD license, I cannot test and maintenance the oauth service plugin for Azure AD.
I created azure branch that was modified for Azure AD in the repository (not testing).
You can duplicate the plugin for Azure AD by following steps.
- Create the repository for the oauth service plugin for Azure AD.
- Copy the
azurebranch and test it. - Fix error if any.
- Add the plugin page http://www.dokuwiki.org/plugin:oauthazuread.
- Please refer to existing oauth service plugin page for how to write.
- Now Dokuwiki users can download the plugin from Extension Manager.
Thank you.
Just FYI: As for Azure AD, the Free version should be sufficient. You can just create a tenant, it'll give you a MyName.OnMicrosoft.com domain associated with it.
https://www.microsoft.com/en-gb/security/business/identity-access-management/azure-ad-pricing
To get this working for Azure we additionally needed to uncomment line 243 of https://github.com/cosmocode/dokuwiki-plugin-oauth/blob/38526e6645ff89339b5dc8d790c4354a1d52ec69/Adapter.php as there apears to be no refresh-token.
The next and last missing additional step for our company is to have all unauthenticated users automaticly redirect to the ? oauthlogin=keycloak version of the page, so the Azure login popup is automaticly shown and you don't need to choose "Login via other services".
OIDC userinfo endpoint doesn't seem to return any data about the groups that the user is in. Is there an easy way to have the group data be included in response using this plugin?
EDIT:
Looks like I should be able to get the group information straight from graph API with the existing token using endpoint https://graph.microsoft.com/v1.0/me/memberof
Hey @Visiopaja ! I am trying to get the users/groups from my Azure AD but when I activate the "Overwrite all DokuWiki user groups by those supplied by provider" nothing really happens
Could you let me know how you managed to do it please?
@haneef95 I have integrated the Keycloak oauth method with Azure AD as you described and it works. However, there's one more quirk I can't figure out. I want to no longer see the official DokuWiki login page. If I have only 1 oauth method and I activate the "Login with single oAuth service only (disables local logins!)", I would like to be automatically redirected all the time to the login page of Azure AD. That means I wouldn't have to go click the "Login with Azure" button on the Dokuwiki login page every time I'm not logged in. Instead, I would like to be redirected to the Microsoft Azure AD login page so make the user experience cleaner.
Technically, in the code, this should be possible because this comment is placed in: /var/www/html/dokuwiki/lib/plugins/oauth/action/login.php
"When singleservice is wanted, do not show login, but execute login right away"
Do you or anyone else know why this doesn't work as intended?
I copied the plugin, renamed it and made some little changes (such that now you can map groups by id that should be fetched from azure). I haven't done this before so hopefullu it works and is usefull.
As agreed with @Visiopaja I have taken over the plugin name and released a CosmoCode developed azure plugin at https://www.dokuwiki.org/plugin:oauthazure
Thank you @splitbrain for your tremendous work on the Dokuwiki project and on this issue as well! I'm glad that now Microsoft users can also access a reliable and user friendly plugin for Oauth.
I'd like to also thank @YoitoFes for his work on the Keycloak plugin that provided me an opportunity to tinker with and have a working Microsoft authentication while this release was on it's way.