Authentication Active Check Missing

shickey · October 21, 2019, 11:49am

I have managed to get the OpenID Connect working with Azure AD for authentication but when a new users hits the Wiki for the first time they are being prompted for a validation key sent by email. I would like to disable this and have them just access the Wiki as we have controls in Azure so only the intended people can access the Wiki.

It appears that I need to set “Authentication Active Check” to No from looking at other posts but this is missing from my instance, any ideas on how to resolve this?

surli · October 23, 2019, 9:45am

The option is described in https://extensions.xwiki.org/xwiki/bin/view/Extension/Administration%20Application#HOptionsyoucansetfromtheRegistrationsectionoftheAdministrationInterface

Could you tell us which version of XWiki you’re using?

shickey · October 23, 2019, 9:56am

Thank you, I can see from that link that it was removed in 11.6RC1 and we are running 11.8.1. How to I prevent new users from being created disabled? I also have Email Verification set to no.

surli · October 23, 2019, 10:05am

So we changed in 11.8RC1 release the properties related to this mechanism (see: https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/11.8RC1/Change005/).
Basically you now have two properties to set on users:

active: to specify if the user is enabled/disabled
email_checked: to specify that the user email have been checked

So in your case, it’s the email_checked property which is certainly set to false and should not be.

Are you using a custom code for the authentication, or a community extension? It might be a bug to fix in some extension in the second case.

shickey · October 23, 2019, 10:08am

We are using the OpenID Connector for authentication (https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/) and the users get created OK when they first connect but they get told their account is disabled and need to enter the validation key. This won’t work as the email address does not get populated in the user account automatically so I need them to be enabled by default.

surli · October 23, 2019, 10:17am

I created an issue to work on it, I’ll keep you informed but it will most likely trigger a new release on OpenID Connect Authenticator: https://jira.xwiki.org/browse/OIDC-71

Now you’ll have to fix the email_checked property value for the users already created: easiest way is to edit the user profiles that are concerned with the Objects editor, to open the “XWiki.XWikiUser” object, to look for the “email_checked” property and to set it to true.

shickey · October 23, 2019, 10:26am

Thank you @surli. At the moment I am manually enabling the users from the Users admin page which then lets them in so I am OK running with this process until there is a fix available.

surli · October 24, 2019, 9:10am

So the bug is actually more a problem in the platform itself, than a problem in the extension: the fix will be part of XWiki 11.9 which should be released next monday.

shickey · October 24, 2019, 10:07am

Great, thank you for sorting this so quick.

martinmurciego · September 29, 2020, 11:58pm

how to?

martinmurciego · September 29, 2020, 11:59pm

how to? Explain the steps