Hello,

I have started evaluating Sling some time now and I've reached a point
where the blocker is whether we can integrate it with Keycloak to
provide single sign on.

A more generic question is: can Sling delegate
authentication/authorization to another system like Keycloak? Keycloak
uses Openid Connect protocol for authentication and implements Oauth2
grant types. I imagine it should be possible and I'm willing to
contribute some code and document this process.


How Keycloak integrates with other applications is that it acts like a
filter/proxy in front of the app. I believe that the flow would be like
this:

- User access protected Sling resources

- Sling checks if user is authenticated by reading cookie (or maybe token)

- If user is not authenticated, it is redirected to the Keycloak server

- Keycloak handles auth. After successful authentication, it is
redirected back to the Sling with an authorization code (in
authorization code grant flow).

- Sling will have to call Keycloak API to exchange that code with an
access token (Oauth2) and an identity token (OpenID Connect).

- Sling can use those tokens to determine access rights (reading from
token in case of JWT or calling Keycloak API)

Now I know that Sling needs to authenticate to Oak repository. My
question is: should the integration with Keycloak (or any OpenID Connect
/ Oauth2 provider) happen just in Sling, just in Oak or in both?

Could someone point out the places (modules, classes) where these
integrations could be made? I've looked at Sling authentication [4] and 
[5] but I'm still a bit confused as to how Sling relates to
authentication and authorization. From my understanding, Oak manages
access and permissions (much like PostgreSQL and other RDBMS have
support for these features). I will wait some answers here and based on
that continue on Oak mailing list.  


[1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

[2] http://www.keycloak.org/docs/latest/securing_apps/index.html

[3]
http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html

[4]
https://sling.apache.org/documentation/the-sling-engine/authentication.html 

[5]
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html



Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to