Hello, I have started evaluating Sling some time now and I've reached a point where the blocker is whether we can integrate it with Keycloak to provide single sign on.
A more generic question is: can Sling delegate authentication/authorization to another system like Keycloak? Keycloak uses Openid Connect protocol for authentication and implements Oauth2 grant types. I imagine it should be possible and I'm willing to contribute some code and document this process. How Keycloak integrates with other applications is that it acts like a filter/proxy in front of the app. I believe that the flow would be like this: - User access protected Sling resources - Sling checks if user is authenticated by reading cookie (or maybe token) - If user is not authenticated, it is redirected to the Keycloak server - Keycloak handles auth. After successful authentication, it is redirected back to the Sling with an authorization code (in authorization code grant flow). - Sling will have to call Keycloak API to exchange that code with an access token (Oauth2) and an identity token (OpenID Connect). - Sling can use those tokens to determine access rights (reading from token in case of JWT or calling Keycloak API) Now I know that Sling needs to authenticate to Oak repository. My question is: should the integration with Keycloak (or any OpenID Connect / Oauth2 provider) happen just in Sling, just in Oak or in both? Could someone point out the places (modules, classes) where these integrations could be made? I've looked at Sling authentication [4] and [5] but I'm still a bit confused as to how Sling relates to authentication and authorization. From my understanding, Oak manages access and permissions (much like PostgreSQL and other RDBMS have support for these features). I will wait some answers here and based on that continue on Oak mailing list. [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant [2] http://www.keycloak.org/docs/latest/securing_apps/index.html [3] http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html [4] https://sling.apache.org/documentation/the-sling-engine/authentication.html [5] https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html
signature.asc
Description: OpenPGP digital signature
