Re: sling with sso - with oauth2 / openid connect
Hello Dmitry, I would love to work with you on this functionality and to present it as part of an AdaptTo talk together with you. I believe in sharing is beneficial in this situation. Let's talk more about both implementing and sending submitting an AdaptTo talk together. My interest is both personal and professional. We are migration parts of our services to Sling and Oak as content repository. Also Keycloak is one architectural component and we need to integrate them. We use Kubernetes as a deployment environment. I'll send you my personal details via individual email. Let's make a call/chat regarding AdaptTo and then figure out the details on how to impleemnt things. Regards, Eugen On 30.03.2018 07:32, Dmitry Telegin wrote: > Hi, > > I've been investigating the same topic for some time; glad to hear I'm > not alone :) > > I'm myself an experienced Keycloak user and also a contributor; I'm > working for a company that offers Keycloak services and consulting > (however, my interest in integrating Sling with Keycloak is stipulated > by my personal project). > > I was planning to do a detailed post describing what it's all about / > how it works / what needs to be done on Sling/Oak/KC sides etc.; even > though you did an excellent introductory post, I think it won't hurt > if I'll complete and publish mine too. > Before that, I'd like to draw attention to some details: > - to make things simpler, we can start with the so called bearer-only > mode, which is topical for HTML5/JS applications. In this mode, it's > the HTML5 app's responsibility to obtain a token (via redirect / > iframe / direct grant etc.), so no redirect is required on a server > side (however, REST services still need to validate JWT token passed > via "Authorization: bearer XXX" header); > - as you've already mentioned, sooner or later we will have to tackle > the problem of user synchronization between Oak and KC. I think we > should avoid any KC-specific code here. One of the options would be to > implement SCIM[1] support for Keycloak (see also a JIRA issue [2]). > From what I've learned yet, that shouldn't be too hard, provided there > are libraries like SCIM SDK[3] from PingIdentity. This will also open > an opportunity to use Sling in the same manner with other SCIM+OIDC > compliant IDM solutions like WSO2. > > By the way, are you interested in doing an adaptTo() 2018 talk on > this? In case you were planning to do that yourself, would you mind me > joining you (I'm an experienced speaker)? Otherwise, would you mind > joining me? :) I know that call for papers deadline is close, but I > think we could give it a try. Question to the community: assuming that > we'll have working code by August/September, do you guys think this > could be a good topic for an adaptTo() talk? > > Let me know what you think! > > Cheers, > Dmitry > > [1] > https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management > [2] https://issues.jboss.org/browse/KEYCLOAK-2537 > [3] https://github.com/pingidentity/scim > >> Hello, >> >> I have started evaluating Sling some time now and I've reached a point >> where the blocker is whether we can integrate it with Keycloak to >> provide single sign on. >> >> A more generic question is: can Sling delegate >> authentication/authorization to another system like Keycloak? Keycloak >> uses Openid Connect protocol for authentication and implements Oauth2 >> grant types. I imagine it should be possible and I'm willing to >> contribute some code and document this process. >> >> >> How Keycloak integrates with other applications is that it acts like a >> filter/proxy in front of the app. I believe that the flow would be like >> this: >> >> - User access protected Sling resources >> >> - Sling checks if user is authenticated by reading cookie (or maybe token) >> >> - If user is not authenticated, it is redirected to the Keycloak server >> >> - Keycloak handles auth. After successful authentication, it is >> redirected back to the Sling with an authorization code (in >> authorization code grant flow). >> >> - Sling will have to call Keycloak API to exchange that code with an >> access token (Oauth2) and an identity token (OpenID Connect). >> >> - Sling can use those tokens to determine access rights (reading from >> token in case of JWT or calling Keycloak API) >> >> Now I know that Sling needs to authenticate to Oak repository. My >> question is: should the integration with Keycloak (or any OpenID Connect >> / Oauth2 provider) happen just in Sling, just in Oak or in both? >> >> Could someone point out the places (modules, classes) where these >> integrations could be made? I've looked at Sling authentication [4] and >> [5] but I'm still a bit confused as to how Sling relates to >> authentication and authorization. From my understanding, Oak manages >> access and permissions (much like PostgreSQL and other RDBMS have >> support for these features). I will wait some answers here and based on >> that continue
Re: sling with sso - with oauth2 / openid connect
Hi, Thank you all for the feedback so far. I think that in the first iteration I will go with a single user approache. Later I will look into the synchronizing users and groups if necessary. I believe/hope I can avoid that by leveraging authorization information in the identity token (JWT) / or keycloak API. That way I think I will be able to authorize requests based on user attributes and context (web path/ repository path, etc). It's time for a POC ! I will keep you posted. Thanks, On 14.02.2018 16:55, Chris Millar wrote: > You may want to also check out Apache Oltu[0][1] which I believe Antonio > Sanso (asanso) had a hand in building. > > [0] https://github.com/apache/oltu > [1] https://oltu.apache.org/ > >> On Feb 14, 2018, at 6:12 AM, Robert Munteanu wrote: >> >> Hi Eugen, >> >>> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote: >>> Hello, >>> >>> I have started evaluating Sling some time now and I've reached a >>> point >>> where the blocker is whether we can integrate it with Keycloak to >>> provide single sign on. >>> >>> A more generic question is: can Sling delegate >>> authentication/authorization to another system like Keycloak? >>> Keycloak >>> uses Openid Connect protocol for authentication and implements Oauth2 >>> grant types. I imagine it should be possible and I'm willing to >>> contribute some code and document this process. >> It definitely is possible. We had some old code which implemented >> openid authentication [1], but it's now retired. You should be able to >> infer how to do this, but feel free to ask. >> >>> >>> How Keycloak integrates with other applications is that it acts like >>> a >>> filter/proxy in front of the app. I believe that the flow would be >>> like >>> this: >>> >>> - User access protected Sling resources >>> >>> - Sling checks if user is authenticated by reading cookie (or maybe >>> token) >>> >>> - If user is not authenticated, it is redirected to the Keycloak >>> server >>> >>> - Keycloak handles auth. After successful authentication, it is >>> redirected back to the Sling with an authorization code (in >>> authorization code grant flow). >>> >>> - Sling will have to call Keycloak API to exchange that code with an >>> access token (Oauth2) and an identity token (OpenID Connect). >>> >>> - Sling can use those tokens to determine access rights (reading from >>> token in case of JWT or calling Keycloak API) >>> >>> Now I know that Sling needs to authenticate to Oak repository. My >>> question is: should the integration with Keycloak (or any OpenID >>> Connect >>> / Oauth2 provider) happen just in Sling, just in Oak or in both? >> I have tried neither so far :-) but my understanding is that Oak-level >> authentication should be done when you need to reuse the user/group >> information transparently - e.g. LDAP auth. If you need a SSO scenario >> you should work at the Sling level, as this is too high in the stack >> for Oak. >> >> Hope this gives you a little something to start with. >> >> Robert >> >>> Could someone point out the places (modules, classes) where these >>> integrations could be made? I've looked at Sling authentication [4] >>> and >>> [5] but I'm still a bit confused as to how Sling relates to >>> authentication and authorization. From my understanding, Oak manages >>> access and permissions (much like PostgreSQL and other RDBMS have >>> support for these features). I will wait some answers here and based >>> on >>> that continue on Oak mailing list. >>> >>> >>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran >>> t >>> >>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html >>> >>> [3] >>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth >>> entication.html >>> >>> [4] >>> https://sling.apache.org/documentation/the-sling-engine/authenticatio >>> n.html >>> >>> [5] >>> https://sling.apache.org/documentation/the-sling-engine/authenticatio >>> n/authentication-framework.html >>> >>> >>> signature.asc Description: OpenPGP digital signature
Re: sling with sso - with oauth2 / openid connect
You may want to also check out Apache Oltu[0][1] which I believe Antonio Sanso (asanso) had a hand in building. [0] https://github.com/apache/oltu [1] https://oltu.apache.org/ > On Feb 14, 2018, at 6:12 AM, Robert Munteanu wrote: > > Hi Eugen, > >> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote: >> Hello, >> >> I have started evaluating Sling some time now and I've reached a >> point >> where the blocker is whether we can integrate it with Keycloak to >> provide single sign on. >> >> A more generic question is: can Sling delegate >> authentication/authorization to another system like Keycloak? >> Keycloak >> uses Openid Connect protocol for authentication and implements Oauth2 >> grant types. I imagine it should be possible and I'm willing to >> contribute some code and document this process. > > It definitely is possible. We had some old code which implemented > openid authentication [1], but it's now retired. You should be able to > infer how to do this, but feel free to ask. > >> >> >> How Keycloak integrates with other applications is that it acts like >> a >> filter/proxy in front of the app. I believe that the flow would be >> like >> this: >> >> - User access protected Sling resources >> >> - Sling checks if user is authenticated by reading cookie (or maybe >> token) >> >> - If user is not authenticated, it is redirected to the Keycloak >> server >> >> - Keycloak handles auth. After successful authentication, it is >> redirected back to the Sling with an authorization code (in >> authorization code grant flow). >> >> - Sling will have to call Keycloak API to exchange that code with an >> access token (Oauth2) and an identity token (OpenID Connect). >> >> - Sling can use those tokens to determine access rights (reading from >> token in case of JWT or calling Keycloak API) >> >> Now I know that Sling needs to authenticate to Oak repository. My >> question is: should the integration with Keycloak (or any OpenID >> Connect >> / Oauth2 provider) happen just in Sling, just in Oak or in both? > > I have tried neither so far :-) but my understanding is that Oak-level > authentication should be done when you need to reuse the user/group > information transparently - e.g. LDAP auth. If you need a SSO scenario > you should work at the Sling level, as this is too high in the stack > for Oak. > > Hope this gives you a little something to start with. > > Robert > >> >> Could someone point out the places (modules, classes) where these >> integrations could be made? I've looked at Sling authentication [4] >> and >> [5] but I'm still a bit confused as to how Sling relates to >> authentication and authorization. From my understanding, Oak manages >> access and permissions (much like PostgreSQL and other RDBMS have >> support for these features). I will wait some answers here and based >> on >> that continue on Oak mailing list. >> >> >> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran >> t >> >> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html >> >> [3] >> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth >> entication.html >> >> [4] >> https://sling.apache.org/documentation/the-sling-engine/authenticatio >> n.html >> >> [5] >> https://sling.apache.org/documentation/the-sling-engine/authenticatio >> n/authentication-framework.html >> >> >> >
Re: sling with sso - with oauth2 / openid connect
Hi Eugen, On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote: > Hello, > > I have started evaluating Sling some time now and I've reached a > point > where the blocker is whether we can integrate it with Keycloak to > provide single sign on. > > A more generic question is: can Sling delegate > authentication/authorization to another system like Keycloak? > Keycloak > uses Openid Connect protocol for authentication and implements Oauth2 > grant types. I imagine it should be possible and I'm willing to > contribute some code and document this process. It definitely is possible. We had some old code which implemented openid authentication [1], but it's now retired. You should be able to infer how to do this, but feel free to ask. > > > How Keycloak integrates with other applications is that it acts like > a > filter/proxy in front of the app. I believe that the flow would be > like > this: > > - User access protected Sling resources > > - Sling checks if user is authenticated by reading cookie (or maybe > token) > > - If user is not authenticated, it is redirected to the Keycloak > server > > - Keycloak handles auth. After successful authentication, it is > redirected back to the Sling with an authorization code (in > authorization code grant flow). > > - Sling will have to call Keycloak API to exchange that code with an > access token (Oauth2) and an identity token (OpenID Connect). > > - Sling can use those tokens to determine access rights (reading from > token in case of JWT or calling Keycloak API) > > Now I know that Sling needs to authenticate to Oak repository. My > question is: should the integration with Keycloak (or any OpenID > Connect > / Oauth2 provider) happen just in Sling, just in Oak or in both? I have tried neither so far :-) but my understanding is that Oak-level authentication should be done when you need to reuse the user/group information transparently - e.g. LDAP auth. If you need a SSO scenario you should work at the Sling level, as this is too high in the stack for Oak. Hope this gives you a little something to start with. Robert > > Could someone point out the places (modules, classes) where these > integrations could be made? I've looked at Sling authentication [4] > and > [5] but I'm still a bit confused as to how Sling relates to > authentication and authorization. From my understanding, Oak manages > access and permissions (much like PostgreSQL and other RDBMS have > support for these features). I will wait some answers here and based > on > that continue on Oak mailing list. > > > [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran > t > > [2] http://www.keycloak.org/docs/latest/securing_apps/index.html > > [3] > http://jackrabbit.apache.org/oak/docs/security/authentication/preauth > entication.html > > [4] > https://sling.apache.org/documentation/the-sling-engine/authenticatio > n.html > > [5] > https://sling.apache.org/documentation/the-sling-engine/authenticatio > n/authentication-framework.html > > >
RE: sling with sso - with oauth2 / openid connect
Here are some authentication implementations and their source code https://github.com/apache?utf8=%E2%9C%93&q=sling+auth It's been a while since I touched this, so I hope I'm not too off base here. There are two parts to an access control system, authentication and authorization. It should be straightforward to tie in an external authentication mechanism, what might be confusing is that once you have an authenticated user you need to associate a user that is defined in Sling to that authenticated person. Because it's that user that's defined in Sling that provides the authorization for the content. There's a couple of ways of handling the users within Sling. If you had broad categories of access, say that you need them authenticated but once authenticated they don't have separate access rights. 1. You'd create a generic user and assign access controls to that user 2. Once authenticate you could then provide the credentials for that generic user you had created. If you wanted more fine grain control. Let's say a different user for each authenticated person, you would need to create or import that person into Sling at which point, on Authentication, you can associate the specific Sling user that matches their ID. Conceivably you could even, on authentication, create the user if that user is not there and then add that user to defined groups which have the ACLs defined. The last time I did that though, which was 6-7 years ago it was a bit labor intensive. Here's a bundle provides a way to manage users in Sling https://sling.apache.org/documentation/bundles/managing-users-and-groups-jackrabbit-usermanager.html#create-user -Jason -Original Message- From: Ioan Eugen Stan [mailto:ieu...@netdava.com] Sent: Tuesday, February 13, 2018 12:46 PM To: users@sling.apache.org Subject: sling with sso - with oauth2 / openid connect Hello, I have started evaluating Sling some time now and I've reached a point where the blocker is whether we can integrate it with Keycloak to provide single sign on. A more generic question is: can Sling delegate authentication/authorization to another system like Keycloak? Keycloak uses Openid Connect protocol for authentication and implements Oauth2 grant types. I imagine it should be possible and I'm willing to contribute some code and document this process. How Keycloak integrates with other applications is that it acts like a filter/proxy in front of the app. I believe that the flow would be like this: - User access protected Sling resources - Sling checks if user is authenticated by reading cookie (or maybe token) - If user is not authenticated, it is redirected to the Keycloak server - Keycloak handles auth. After successful authentication, it is redirected back to the Sling with an authorization code (in authorization code grant flow). - Sling will have to call Keycloak API to exchange that code with an access token (Oauth2) and an identity token (OpenID Connect). - Sling can use those tokens to determine access rights (reading from token in case of JWT or calling Keycloak API) Now I know that Sling needs to authenticate to Oak repository. My question is: should the integration with Keycloak (or any OpenID Connect / Oauth2 provider) happen just in Sling, just in Oak or in both? Could someone point out the places (modules, classes) where these integrations could be made? I've looked at Sling authentication [4] and [5] but I'm still a bit confused as to how Sling relates to authentication and authorization. From my understanding, Oak manages access and permissions (much like PostgreSQL and other RDBMS have support for these features). I will wait some answers here and based on that continue on Oak mailing list. [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant [2] http://www.keycloak.org/docs/latest/securing_apps/index.html [3] http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html [4] https://sling.apache.org/documentation/the-sling-engine/authentication.html [5] https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html
sling with sso - with oauth2 / openid connect
Hello, I have started evaluating Sling some time now and I've reached a point where the blocker is whether we can integrate it with Keycloak to provide single sign on. A more generic question is: can Sling delegate authentication/authorization to another system like Keycloak? Keycloak uses Openid Connect protocol for authentication and implements Oauth2 grant types. I imagine it should be possible and I'm willing to contribute some code and document this process. How Keycloak integrates with other applications is that it acts like a filter/proxy in front of the app. I believe that the flow would be like this: - User access protected Sling resources - Sling checks if user is authenticated by reading cookie (or maybe token) - If user is not authenticated, it is redirected to the Keycloak server - Keycloak handles auth. After successful authentication, it is redirected back to the Sling with an authorization code (in authorization code grant flow). - Sling will have to call Keycloak API to exchange that code with an access token (Oauth2) and an identity token (OpenID Connect). - Sling can use those tokens to determine access rights (reading from token in case of JWT or calling Keycloak API) Now I know that Sling needs to authenticate to Oak repository. My question is: should the integration with Keycloak (or any OpenID Connect / Oauth2 provider) happen just in Sling, just in Oak or in both? Could someone point out the places (modules, classes) where these integrations could be made? I've looked at Sling authentication [4] and [5] but I'm still a bit confused as to how Sling relates to authentication and authorization. From my understanding, Oak manages access and permissions (much like PostgreSQL and other RDBMS have support for these features). I will wait some answers here and based on that continue on Oak mailing list. [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant [2] http://www.keycloak.org/docs/latest/securing_apps/index.html [3] http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html [4] https://sling.apache.org/documentation/the-sling-engine/authentication.html [5] https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html signature.asc Description: OpenPGP digital signature