My problem: Authentication to XWiki using OpenID Connect is successful if XWiki is accessed through the Univention Corporate Server (virtual) domain. Authentication to Xwiki using OpenID Connect fails if XWiki is accessed through a dedicated virtual domain.
We are using UCS for user management and to provide key applications in our maker space. The UCS is installed in our intranet and not accessible from the internet (local IP address). The intranet domain is univention.lab.starship-factory.ch. In order to make the UCS front-end and some applications (NextCloud, XWiki) available to the Internet we are using an Nginx reverse proxy sitting on the OPNSense firewall.
The public virtual domain for the UCS is univention.starship-factory.ch. The reverse proxy setup for the web front-end is working fine.
XWiki can be accessed through the public UCS virtual domain: https://univention.starship-factory.ch/xwiki/. In this case authentication works as expected.
XWiki can alternatively be accessed through a dedicated virtual domain: https://wiki2.starship-factory.ch/xwiki/. In this case authentication fails with the following error message:
HTTP Status 500 – Internal Server Error
Type Exception Report
Message Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]
Beschreibung The server encountered an unexpected condition that prevented it from fulfilling the request.
Exception
javax.servlet.ServletException: Failed to handle Resource Reference [path = authenticator/callback, endpoint = authenticator, pathSegments = [callback]]
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:161)
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
Root Cause
org.xwiki.resource.ResourceReferenceHandlerException: Failed to handle http servlet request
org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110)
org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
Root Cause
org.xwiki.contrib.oidc.provider.internal.OIDCException: Unexpected error [access_denied] : invalid redirect_uri: https://wiki2.starship-factory.ch/xwiki/oidc/authenticator/callback
org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:131)
org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:134)
org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:108)
org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:159)
org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:87)
javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:145)
Hinweis Der komplette Stacktrace der Ursache ist in den Server logs zu finden
Apache Tomcat/9.0.63
This is my OpenID configuration in the configuration file xwiki.properties:
oidc.endpoint.authorization=https://ucs-sso.lab.starship-factory.ch/signin/v1/identifier/_/authorize
oidc.endpoint.token=https://ucs-sso.lab.starship-factory.ch/konnect/v1/token
oidc.endpoint.userinfo=https://ucs-sso.lab.starship-factory.ch/konnect/v1/userinfo
oidc.endpoint.logout=https://ucs-sso.lab.starship-factory.ch/signin/v1/identifier/_/endsession
oidc.scope=openid,profile,email
oidc.idtokenclaims=id_token
oidc.user.nameFormater=${oidc.user.preferredUsername._clean}
oidc.userinfoclaims=
oidc.clientid=xwiki
oidc.secret=<secret>
Unfortunately, I am clueless about what might be causing the issue since OpenID Connect is pretty much black magic to me. I am only using it because it seemed simpler to setup compared to the LDAP add-on. Maybe this was a wrong assumption.
Anyone having a hint for me what the problem might be?