These days I’m playing a little bit with Authentik, quite a pretty piece of software if you need a flexible identity provider for your services and don’t want to pay a ton of money for Okta or some other humongous commercial idp.

To be honest the more I spend time on Authentik the more I think It’s probably the best option if you’re looking for an “open source” Okta.

Honestly I don’t need a service like this, I have a basic experience with federation (mostly with SAML2 protocol) but I never had to setup and idp.

This time I tried to federate WordPress and Matomo with Authentik.

With WordPress it was fine, I had only one problem with the RedirectURI that has a querystring, and that means that the question mark needs an escape character, for example:

/wp-admin/admin-ajax.php\?action=openid-connect-authorize

With Matomo… well It was a different story:

1. first of all I had to install the only plugin available (LoginOIDC)

2. as for WordPress I had to escape the querystring question mark for the RedirectURI

3. I had to create a rewrite rule to accept a static RedirectURI

RewriteRule oidc/callback /index.php?module=LoginOIDC&action=callback&provider=oidc$1 [R=301,QSA]

4. I had to manually create the database table for the plugin to work, because the plugin installation procedure missed.

I used this SQL syntax onMariaDB 10:

CREATE TABLE piwik_loginoidc_provider (
user VARCHAR(100) NOT NULL,
provider_user VARCHAR(255) NOT NULL,
provider VARCHAR(255) NOT NULL,
date_connected TIMESTAMP NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
PRIMARY KEY (provider_user, provider),
UNIQUE KEY user_provider (user, provider),
FOREIGN KEY (user) REFERENCES piwik_user (login) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb3 COLLATE=utf8mb3_general_ci;

…and finally the OpenID federation plugin start to work.

A couple of considerations:

WordPress: how is it bloody possible that in 2024 the most used CMS, the platform that runs more than 70% of the web does not support out of the box at least one federation protocol?!?!?
This is absolutely crazy imho… stop working on the damn interface and fix this nonsense…

Matomo: c’mon guys… you pretend to be a serious alternative to Google Analytics and you don’t support out of the box at least one federation protocol???? Seriously?!?!?
And the only plugin available was updated almost 1 year ago, we have two options:
1) it has no bugs, maybe it’s the best written piece of software ever made in human history
2) its development is basically abandoned

I would like it’s the first option, but if I had to bet some money I’ll bet on the 2nd one…