Hi Herman, Sorry for the late reply, I was in holiday.
Currently we use it in combination with Oak DefaultSyncHandler [1] and ExternalLoginModule [2]. You can find an example of the complete configuration for Sling in the IT Test [3]. The configuration of the different services is liked in this way: OidcAuthenticationHandler.idp -> ExternalLoginModule.idp.name ExternalLoginModule. sync.handlerName -> DefaultSyncHandler. handler.name OidcAuthentcationHandler.defaultConnectionName -> OidcConnectionImpl.name I hope this clarify a bit. I’m currently working to properly document it. Regards Nicola [1] https://jackrabbit.apache.org/oak/docs/security/authentication/external/defaultusersync.html [2] https://jackrabbit.apache.org/oak/docs/security/authentication/externalloginmodule.html [3] https://github.com/apache/sling-org-apache-sling-auth-oauth-client/blob/b531aa11908c1fa8102ec62d7f0b4280d76051a0/src/test/java/org/apache/sling/auth/oauth_client/AuthorizationCodeFlowIT.java#L336-L455 From: Herman Ciechanowiec <her...@ciechanowiec.eu> Date: Friday, 4 July 2025 at 10:21 To: dev@sling.apache.org <dev@sling.apache.org> Subject: Apache Sling Authentication with OIDC EXTERNAL: Use caution when clicking on links or opening attachments. Dear Apache Sling Team, The Apache Sling OAuth 2.0 client provides an `org.apache.sling.auth.core.spi.AuthenticationHandler` for OIDC support (`org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler`), which is intended to enable full Apache Sling authentication ( https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fsling-org-apache-sling-auth-oauth-client%2Fblob%2Fc467b0ed44c48b46a9844970d25b6fb3012649e3%2Fsrc%2Fmain%2Fjava%2Forg%2Fapache%2Fsling%2Fauth%2Foauth_client%2Fimpl%2FOidcAuthenticationHandler.java&data=05%7C02%7Cnscendoni%40adobe.com%7Cc3a2f9868abe43ce659408ddbad3d39e%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C638872141147094818%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=lHN1a50rOM8irLDN00X%2FbWx%2FvK7Uqmr%2BvsAX42YyMJw%3D&reserved=0<https://github.com/apache/sling-org-apache-sling-auth-oauth-client/blob/c467b0ed44c48b46a9844970d25b6fb3012649e3/src/main/java/org/apache/sling/auth/oauth_client/impl/OidcAuthenticationHandler.java> ). My understanding is that this type of authentication also requires a corresponding implementation of `javax.security.auth.spi.LoginModule`, which I have not been able to find in the current implementation. Is my understanding correct? If so, are there any plans to provide a `LoginModule` for this purpose? If not, could you please direct me to documentation or an example demonstrating how to configure the `OidcAuthenticationHandler` for a complete authentication setup? Thank you for your guidance. Kind regards, Herman Ciechanowiec her...@ciechanowiec.eu
