Here are some authentication implementations and their source code

It's been a while since I touched this, so I hope I'm not too off base here. 
There are two parts to an access control system, authentication and 
It should be straightforward to tie in an external authentication mechanism, 
what might be confusing is that once you have an authenticated user you need to 
associate a user that is defined in Sling to that authenticated person. Because 
it's that user that's defined in Sling that provides the authorization for the 

There's a couple of ways of handling the users within Sling. If you had broad 
categories of access, say that you need them authenticated but once 
authenticated they don't have separate access rights.
1. You'd create a generic user and assign access controls to that user
2. Once authenticate you could then provide the credentials for that generic 
user you had created.

If you wanted more fine grain control. Let's say a different user for each 
authenticated person, you would need to create or import that person into Sling 
at which point, on Authentication, you can associate the specific Sling user 
that matches their ID.

Conceivably you could even, on authentication, create the user if that user is 
not there and then add that user to defined groups which have the ACLs defined. 
The last time I did that though, which was 6-7 years ago it was a bit labor 

Here's a bundle  provides a way to manage users in Sling


-----Original Message-----
From: Ioan Eugen Stan [] 
Sent: Tuesday, February 13, 2018 12:46 PM
Subject: sling with sso - with oauth2 / openid connect


I have started evaluating Sling some time now and I've reached a point where 
the blocker is whether we can integrate it with Keycloak to provide single sign 

A more generic question is: can Sling delegate authentication/authorization to 
another system like Keycloak? Keycloak uses Openid Connect protocol for 
authentication and implements Oauth2 grant types. I imagine it should be 
possible and I'm willing to contribute some code and document this process.

How Keycloak integrates with other applications is that it acts like a 
filter/proxy in front of the app. I believe that the flow would be like

- User access protected Sling resources

- Sling checks if user is authenticated by reading cookie (or maybe token)

- If user is not authenticated, it is redirected to the Keycloak server

- Keycloak handles auth. After successful authentication, it is redirected back 
to the Sling with an authorization code (in authorization code grant flow).

- Sling will have to call Keycloak API to exchange that code with an access 
token (Oauth2) and an identity token (OpenID Connect).

- Sling can use those tokens to determine access rights (reading from token in 
case of JWT or calling Keycloak API)

Now I know that Sling needs to authenticate to Oak repository. My question is: 
should the integration with Keycloak (or any OpenID Connect / Oauth2 provider) 
happen just in Sling, just in Oak or in both?

Could someone point out the places (modules, classes) where these integrations 
could be made? I've looked at Sling authentication [4] and [5] but I'm still a 
bit confused as to how Sling relates to authentication and authorization. From 
my understanding, Oak manages access and permissions (much like PostgreSQL and 
other RDBMS have support for these features). I will wait some answers here and 
based on that continue on Oak mailing list.  






Reply via email to