Here are some authentication implementations and their source code https://github.com/apache?utf8=%E2%9C%93&q=sling+auth
It's been a while since I touched this, so I hope I'm not too off base here. There are two parts to an access control system, authentication and authorization. It should be straightforward to tie in an external authentication mechanism, what might be confusing is that once you have an authenticated user you need to associate a user that is defined in Sling to that authenticated person. Because it's that user that's defined in Sling that provides the authorization for the content. There's a couple of ways of handling the users within Sling. If you had broad categories of access, say that you need them authenticated but once authenticated they don't have separate access rights. 1. You'd create a generic user and assign access controls to that user 2. Once authenticate you could then provide the credentials for that generic user you had created. If you wanted more fine grain control. Let's say a different user for each authenticated person, you would need to create or import that person into Sling at which point, on Authentication, you can associate the specific Sling user that matches their ID. Conceivably you could even, on authentication, create the user if that user is not there and then add that user to defined groups which have the ACLs defined. The last time I did that though, which was 6-7 years ago it was a bit labor intensive. Here's a bundle provides a way to manage users in Sling https://sling.apache.org/documentation/bundles/managing-users-and-groups-jackrabbit-usermanager.html#create-user -Jason -----Original Message----- From: Ioan Eugen Stan [mailto:[email protected]] Sent: Tuesday, February 13, 2018 12:46 PM To: [email protected] Subject: sling with sso - with oauth2 / openid connect Hello, I have started evaluating Sling some time now and I've reached a point where the blocker is whether we can integrate it with Keycloak to provide single sign on. A more generic question is: can Sling delegate authentication/authorization to another system like Keycloak? Keycloak uses Openid Connect protocol for authentication and implements Oauth2 grant types. I imagine it should be possible and I'm willing to contribute some code and document this process. How Keycloak integrates with other applications is that it acts like a filter/proxy in front of the app. I believe that the flow would be like this: - User access protected Sling resources - Sling checks if user is authenticated by reading cookie (or maybe token) - If user is not authenticated, it is redirected to the Keycloak server - Keycloak handles auth. After successful authentication, it is redirected back to the Sling with an authorization code (in authorization code grant flow). - Sling will have to call Keycloak API to exchange that code with an access token (Oauth2) and an identity token (OpenID Connect). - Sling can use those tokens to determine access rights (reading from token in case of JWT or calling Keycloak API) Now I know that Sling needs to authenticate to Oak repository. My question is: should the integration with Keycloak (or any OpenID Connect / Oauth2 provider) happen just in Sling, just in Oak or in both? Could someone point out the places (modules, classes) where these integrations could be made? I've looked at Sling authentication [4] and [5] but I'm still a bit confused as to how Sling relates to authentication and authorization. From my understanding, Oak manages access and permissions (much like PostgreSQL and other RDBMS have support for these features). I will wait some answers here and based on that continue on Oak mailing list. [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant [2] http://www.keycloak.org/docs/latest/securing_apps/index.html [3] http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html [4] https://sling.apache.org/documentation/the-sling-engine/authentication.html [5] https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html
