Re: sling with sso - with oauth2 / openid connect

[Ioan Eugen Stan]

Hello Dmitry,

I would love to work with you on this functionality and to present it as
part of an AdaptTo talk together with you. I believe in sharing is
beneficial in this situation.

Let's talk more about both implementing and sending submitting an
AdaptTo talk together.

My interest is both personal and professional. We are migration parts of
our services to Sling and Oak as content repository.

Also Keycloak is one architectural component and we need to integrate
them. We use Kubernetes as a deployment environment.

I'll send you my personal details via individual email. Let's make a
call/chat regarding AdaptTo and then figure out the details on how to
impleemnt things.

Regards,

Eugen


On 30.03.2018 07:32, Dmitry Telegin wrote:
> Hi,
>
> I've been investigating the same topic for some time; glad to hear I'm
> not alone :)
>
> I'm myself an experienced Keycloak user and also a contributor; I'm
> working for a company that offers Keycloak services and consulting
> (however, my interest in integrating Sling with Keycloak is stipulated
> by my personal project).
>
> I was planning to do a detailed post describing what it's all about /
> how it works / what needs to be done on Sling/Oak/KC sides etc.; even
> though you did an excellent introductory post, I think it won't hurt
> if I'll complete and publish mine too.
> Before that, I'd like to draw attention to some details:
> - to make things simpler, we can start with the so called bearer-only
> mode, which is topical for HTML5/JS applications. In this mode, it's
> the HTML5 app's responsibility to obtain a token (via redirect /
> iframe / direct grant etc.), so no redirect is required on a server
> side (however, REST services still need to validate JWT token passed
> via "Authorization: bearer XXX" header);
> - as you've already mentioned, sooner or later we will have to tackle
> the problem of user synchronization between Oak and KC. I think we
> should avoid any KC-specific code here. One of the options would be to
> implement SCIM[1] support for Keycloak (see also a JIRA issue [2]).
> From what I've learned yet, that shouldn't be too hard, provided there
> are libraries like SCIM SDK[3] from PingIdentity. This will also open
> an opportunity to use Sling in the same manner with other SCIM+OIDC
> compliant IDM solutions like WSO2.
>
> By the way, are you interested in doing an adaptTo() 2018 talk on
> this? In case you were planning to do that yourself, would you mind me
> joining you (I'm an experienced speaker)? Otherwise, would you mind
> joining me? :) I know that call for papers deadline is close, but I
> think we could give it a try. Question to the community: assuming that
> we'll have working code by August/September, do you guys think this
> could be a good topic for an adaptTo() talk?
>
> Let me know what you think!
>
> Cheers,
> Dmitry
>
> [1]
> https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management
> [2] https://issues.jboss.org/browse/KEYCLOAK-2537
> [3] https://github.com/pingidentity/scim
>
>> Hello,
>>
>> I have started evaluating Sling some time now and I've reached a point
>> where the blocker is whether we can integrate it with Keycloak to
>> provide single sign on.
>>
>> A more generic question is: can Sling delegate
>> authentication/authorization to another system like Keycloak? Keycloak
>> uses Openid Connect protocol for authentication and implements Oauth2
>> grant types. I imagine it should be possible and I'm willing to
>> contribute some code and document this process.
>>
>>
>> How Keycloak integrates with other applications is that it acts like a
>> filter/proxy in front of the app. I believe that the flow would be like
>> this:
>>
>> - User access protected Sling resources
>>
>> - Sling checks if user is authenticated by reading cookie (or maybe token)
>>
>> - If user is not authenticated, it is redirected to the Keycloak server
>>
>> - Keycloak handles auth. After successful authentication, it is
>> redirected back to the Sling with an authorization code (in
>> authorization code grant flow).
>>
>> - Sling will have to call Keycloak API to exchange that code with an
>> access token (Oauth2) and an identity token (OpenID Connect).
>>
>> - Sling can use those tokens to determine access rights (reading from
>> token in case of JWT or calling Keycloak API)
>>
>> Now I know that Sling needs to authenticate to Oak repository. My
>> question is: should the integration with Keycloak (or any OpenID Connect
>> / Oauth2 provider) happen just in Sling, just in Oak or in both?
>>
>> Could someone point out the places (modules, classes) where these
>> integrations could be made? I've looked at Sling authentication [4] and 
>> [5] but I'm still a bit confused as to how Sling relates to
>> authentication and authorization. From my understanding, Oak manages
>> access and permissions (much like PostgreSQL and other RDBMS have
>> support for these features). I will wait some answers here and based on
>> that 

Re: sling with sso - with oauth2 / openid connect

[Ioan Eugen Stan]

Hi,

Thank you all for the feedback so far. I think that in the first
iteration I will go with a single user approache.

Later I will look into the synchronizing users and groups if necessary.

I believe/hope I can avoid that by leveraging authorization information
in the identity token (JWT) / or keycloak API.

That way I think I will be able to authorize requests based on user
attributes and context (web path/ repository path, etc).

It's time for a POC ! I will keep you posted. 

Thanks,


On 14.02.2018 16:55, Chris Millar wrote:
> You may want to also check out Apache Oltu[0][1] which I believe Antonio 
> Sanso (asanso) had a hand in building.
>
> [0] https://github.com/apache/oltu
> [1] https://oltu.apache.org/
>
>> On Feb 14, 2018, at 6:12 AM, Robert Munteanu  wrote:
>>
>> Hi Eugen,
>>
>>> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:
>>> Hello,
>>>
>>> I have started evaluating Sling some time now and I've reached a
>>> point
>>> where the blocker is whether we can integrate it with Keycloak to
>>> provide single sign on.
>>>
>>> A more generic question is: can Sling delegate
>>> authentication/authorization to another system like Keycloak?
>>> Keycloak
>>> uses Openid Connect protocol for authentication and implements Oauth2
>>> grant types. I imagine it should be possible and I'm willing to
>>> contribute some code and document this process.
>> It definitely is possible. We had some old code which implemented
>> openid authentication [1], but it's now retired. You should be able to
>> infer how to do this, but feel free to ask.
>>
>>>
>>> How Keycloak integrates with other applications is that it acts like
>>> a
>>> filter/proxy in front of the app. I believe that the flow would be
>>> like
>>> this:
>>>
>>> - User access protected Sling resources
>>>
>>> - Sling checks if user is authenticated by reading cookie (or maybe
>>> token)
>>>
>>> - If user is not authenticated, it is redirected to the Keycloak
>>> server
>>>
>>> - Keycloak handles auth. After successful authentication, it is
>>> redirected back to the Sling with an authorization code (in
>>> authorization code grant flow).
>>>
>>> - Sling will have to call Keycloak API to exchange that code with an
>>> access token (Oauth2) and an identity token (OpenID Connect).
>>>
>>> - Sling can use those tokens to determine access rights (reading from
>>> token in case of JWT or calling Keycloak API)
>>>
>>> Now I know that Sling needs to authenticate to Oak repository. My
>>> question is: should the integration with Keycloak (or any OpenID
>>> Connect
>>> / Oauth2 provider) happen just in Sling, just in Oak or in both?
>> I have tried neither so far :-) but my understanding is that Oak-level
>> authentication should be done when you need to reuse the user/group
>> information transparently - e.g. LDAP auth. If you need a SSO scenario
>> you should work at the Sling level, as this is too high in the stack
>> for Oak.
>>
>> Hope this gives you a little something to start with.
>>
>> Robert
>>
>>> Could someone point out the places (modules, classes) where these
>>> integrations could be made? I've looked at Sling authentication [4]
>>> and 
>>> [5] but I'm still a bit confused as to how Sling relates to
>>> authentication and authorization. From my understanding, Oak manages
>>> access and permissions (much like PostgreSQL and other RDBMS have
>>> support for these features). I will wait some answers here and based
>>> on
>>> that continue on Oak mailing list.  
>>>
>>>
>>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
>>> t
>>>
>>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
>>>
>>> [3]
>>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
>>> entication.html
>>>
>>> [4]
>>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>>> n.html 
>>>
>>> [5]
>>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>>> n/authentication-framework.html
>>>
>>>
>>>




signature.asc
Description: OpenPGP digital signature

Re: sling with sso - with oauth2 / openid connect

[Chris Millar]

You may want to also check out Apache Oltu[0][1] which I believe Antonio Sanso 
(asanso) had a hand in building.

[0] https://github.com/apache/oltu
[1] https://oltu.apache.org/

> On Feb 14, 2018, at 6:12 AM, Robert Munteanu  wrote:
> 
> Hi Eugen,
> 
>> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:
>> Hello,
>> 
>> I have started evaluating Sling some time now and I've reached a
>> point
>> where the blocker is whether we can integrate it with Keycloak to
>> provide single sign on.
>> 
>> A more generic question is: can Sling delegate
>> authentication/authorization to another system like Keycloak?
>> Keycloak
>> uses Openid Connect protocol for authentication and implements Oauth2
>> grant types. I imagine it should be possible and I'm willing to
>> contribute some code and document this process.
> 
> It definitely is possible. We had some old code which implemented
> openid authentication [1], but it's now retired. You should be able to
> infer how to do this, but feel free to ask.
> 
>> 
>> 
>> How Keycloak integrates with other applications is that it acts like
>> a
>> filter/proxy in front of the app. I believe that the flow would be
>> like
>> this:
>> 
>> - User access protected Sling resources
>> 
>> - Sling checks if user is authenticated by reading cookie (or maybe
>> token)
>> 
>> - If user is not authenticated, it is redirected to the Keycloak
>> server
>> 
>> - Keycloak handles auth. After successful authentication, it is
>> redirected back to the Sling with an authorization code (in
>> authorization code grant flow).
>> 
>> - Sling will have to call Keycloak API to exchange that code with an
>> access token (Oauth2) and an identity token (OpenID Connect).
>> 
>> - Sling can use those tokens to determine access rights (reading from
>> token in case of JWT or calling Keycloak API)
>> 
>> Now I know that Sling needs to authenticate to Oak repository. My
>> question is: should the integration with Keycloak (or any OpenID
>> Connect
>> / Oauth2 provider) happen just in Sling, just in Oak or in both?
> 
> I have tried neither so far :-) but my understanding is that Oak-level
> authentication should be done when you need to reuse the user/group
> information transparently - e.g. LDAP auth. If you need a SSO scenario
> you should work at the Sling level, as this is too high in the stack
> for Oak.
> 
> Hope this gives you a little something to start with.
> 
> Robert
> 
>> 
>> Could someone point out the places (modules, classes) where these
>> integrations could be made? I've looked at Sling authentication [4]
>> and 
>> [5] but I'm still a bit confused as to how Sling relates to
>> authentication and authorization. From my understanding, Oak manages
>> access and permissions (much like PostgreSQL and other RDBMS have
>> support for these features). I will wait some answers here and based
>> on
>> that continue on Oak mailing list.  
>> 
>> 
>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
>> t
>> 
>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
>> 
>> [3]
>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
>> entication.html
>> 
>> [4]
>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>> n.html 
>> 
>> [5]
>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>> n/authentication-framework.html
>> 
>> 
>> 
> 

Re: sling with sso - with oauth2 / openid connect

[Robert Munteanu]

Hi Eugen,

On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:
> Hello,
> 
> I have started evaluating Sling some time now and I've reached a
> point
> where the blocker is whether we can integrate it with Keycloak to
> provide single sign on.
> 
> A more generic question is: can Sling delegate
> authentication/authorization to another system like Keycloak?
> Keycloak
> uses Openid Connect protocol for authentication and implements Oauth2
> grant types. I imagine it should be possible and I'm willing to
> contribute some code and document this process.

It definitely is possible. We had some old code which implemented
openid authentication [1], but it's now retired. You should be able to
infer how to do this, but feel free to ask.

> 
> 
> How Keycloak integrates with other applications is that it acts like
> a
> filter/proxy in front of the app. I believe that the flow would be
> like
> this:
> 
> - User access protected Sling resources
> 
> - Sling checks if user is authenticated by reading cookie (or maybe
> token)
> 
> - If user is not authenticated, it is redirected to the Keycloak
> server
> 
> - Keycloak handles auth. After successful authentication, it is
> redirected back to the Sling with an authorization code (in
> authorization code grant flow).
> 
> - Sling will have to call Keycloak API to exchange that code with an
> access token (Oauth2) and an identity token (OpenID Connect).
> 
> - Sling can use those tokens to determine access rights (reading from
> token in case of JWT or calling Keycloak API)
> 
> Now I know that Sling needs to authenticate to Oak repository. My
> question is: should the integration with Keycloak (or any OpenID
> Connect
> / Oauth2 provider) happen just in Sling, just in Oak or in both?

I have tried neither so far :-) but my understanding is that Oak-level
authentication should be done when you need to reuse the user/group
information transparently - e.g. LDAP auth. If you need a SSO scenario
you should work at the Sling level, as this is too high in the stack
for Oak.

Hope this gives you a little something to start with.

Robert

> 
> Could someone point out the places (modules, classes) where these
> integrations could be made? I've looked at Sling authentication [4]
> and 
> [5] but I'm still a bit confused as to how Sling relates to
> authentication and authorization. From my understanding, Oak manages
> access and permissions (much like PostgreSQL and other RDBMS have
> support for these features). I will wait some answers here and based
> on
> that continue on Oak mailing list.  
> 
> 
> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
> t
> 
> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
> 
> [3]
> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
> entication.html
> 
> [4]
> https://sling.apache.org/documentation/the-sling-engine/authenticatio
> n.html 
> 
> [5]
> https://sling.apache.org/documentation/the-sling-engine/authenticatio
> n/authentication-framework.html
> 
> 
> 

RE: sling with sso - with oauth2 / openid connect

[Jason Bailey]

Here are some authentication implementations and their source code

https://github.com/apache?utf8=%E2%9C%93=sling+auth

It's been a while since I touched this, so I hope I'm not too off base here. 
There are two parts to an access control system, authentication and 
authorization.
It should be straightforward to tie in an external authentication mechanism, 
what might be confusing is that once you have an authenticated user you need to 
associate a user that is defined in Sling to that authenticated person. Because 
it's that user that's defined in Sling that provides the authorization for the 
content.

There's a couple of ways of handling the users within Sling. If you had broad 
categories of access, say that you need them authenticated but once 
authenticated they don't have separate access rights.
1. You'd create a generic user and assign access controls to that user
2. Once authenticate you could then provide the credentials for that generic 
user you had created.

If you wanted more fine grain control. Let's say a different user for each 
authenticated person, you would need to create or import that person into Sling 
at which point, on Authentication, you can associate the specific Sling user 
that matches their ID.

Conceivably you could even, on authentication, create the user if that user is 
not there and then add that user to defined groups which have the ACLs defined. 
The last time I did that though, which was 6-7 years ago it was a bit labor 
intensive.

Here's a bundle  provides a way to manage users in Sling
https://sling.apache.org/documentation/bundles/managing-users-and-groups-jackrabbit-usermanager.html#create-user

-Jason



-Original Message-
From: Ioan Eugen Stan [mailto:ieu...@netdava.com] 
Sent: Tuesday, February 13, 2018 12:46 PM
To: users@sling.apache.org
Subject: sling with sso - with oauth2 / openid connect

Hello,

I have started evaluating Sling some time now and I've reached a point where 
the blocker is whether we can integrate it with Keycloak to provide single sign 
on.

A more generic question is: can Sling delegate authentication/authorization to 
another system like Keycloak? Keycloak uses Openid Connect protocol for 
authentication and implements Oauth2 grant types. I imagine it should be 
possible and I'm willing to contribute some code and document this process.


How Keycloak integrates with other applications is that it acts like a 
filter/proxy in front of the app. I believe that the flow would be like
this:

- User access protected Sling resources

- Sling checks if user is authenticated by reading cookie (or maybe token)

- If user is not authenticated, it is redirected to the Keycloak server

- Keycloak handles auth. After successful authentication, it is redirected back 
to the Sling with an authorization code (in authorization code grant flow).

- Sling will have to call Keycloak API to exchange that code with an access 
token (Oauth2) and an identity token (OpenID Connect).

- Sling can use those tokens to determine access rights (reading from token in 
case of JWT or calling Keycloak API)

Now I know that Sling needs to authenticate to Oak repository. My question is: 
should the integration with Keycloak (or any OpenID Connect / Oauth2 provider) 
happen just in Sling, just in Oak or in both?

Could someone point out the places (modules, classes) where these integrations 
could be made? I've looked at Sling authentication [4] and [5] but I'm still a 
bit confused as to how Sling relates to authentication and authorization. From 
my understanding, Oak manages access and permissions (much like PostgreSQL and 
other RDBMS have support for these features). I will wait some answers here and 
based on that continue on Oak mailing list.  


[1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

[2] http://www.keycloak.org/docs/latest/securing_apps/index.html

[3]
http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html

[4]
https://sling.apache.org/documentation/the-sling-engine/authentication.html 

[5]
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html

sling with sso - with oauth2 / openid connect

[Ioan Eugen Stan]

Hello,

I have started evaluating Sling some time now and I've reached a point
where the blocker is whether we can integrate it with Keycloak to
provide single sign on.

A more generic question is: can Sling delegate
authentication/authorization to another system like Keycloak? Keycloak
uses Openid Connect protocol for authentication and implements Oauth2
grant types. I imagine it should be possible and I'm willing to
contribute some code and document this process.


How Keycloak integrates with other applications is that it acts like a
filter/proxy in front of the app. I believe that the flow would be like
this:

- User access protected Sling resources

- Sling checks if user is authenticated by reading cookie (or maybe token)

- If user is not authenticated, it is redirected to the Keycloak server

- Keycloak handles auth. After successful authentication, it is
redirected back to the Sling with an authorization code (in
authorization code grant flow).

- Sling will have to call Keycloak API to exchange that code with an
access token (Oauth2) and an identity token (OpenID Connect).

- Sling can use those tokens to determine access rights (reading from
token in case of JWT or calling Keycloak API)

Now I know that Sling needs to authenticate to Oak repository. My
question is: should the integration with Keycloak (or any OpenID Connect
/ Oauth2 provider) happen just in Sling, just in Oak or in both?

Could someone point out the places (modules, classes) where these
integrations could be made? I've looked at Sling authentication [4] and 
[5] but I'm still a bit confused as to how Sling relates to
authentication and authorization. From my understanding, Oak manages
access and permissions (much like PostgreSQL and other RDBMS have
support for these features). I will wait some answers here and based on
that continue on Oak mailing list.  


[1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

[2] http://www.keycloak.org/docs/latest/securing_apps/index.html

[3]
http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html

[4]
https://sling.apache.org/documentation/the-sling-engine/authentication.html 

[5]
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html





signature.asc
Description: OpenPGP digital signature