Hi Eugen, On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote: > Hello, > > I have started evaluating Sling some time now and I've reached a > point > where the blocker is whether we can integrate it with Keycloak to > provide single sign on. > > A more generic question is: can Sling delegate > authentication/authorization to another system like Keycloak? > Keycloak > uses Openid Connect protocol for authentication and implements Oauth2 > grant types. I imagine it should be possible and I'm willing to > contribute some code and document this process.
It definitely is possible. We had some old code which implemented openid authentication , but it's now retired. You should be able to infer how to do this, but feel free to ask. > > > How Keycloak integrates with other applications is that it acts like > a > filter/proxy in front of the app. I believe that the flow would be > like > this: > > - User access protected Sling resources > > - Sling checks if user is authenticated by reading cookie (or maybe > token) > > - If user is not authenticated, it is redirected to the Keycloak > server > > - Keycloak handles auth. After successful authentication, it is > redirected back to the Sling with an authorization code (in > authorization code grant flow). > > - Sling will have to call Keycloak API to exchange that code with an > access token (Oauth2) and an identity token (OpenID Connect). > > - Sling can use those tokens to determine access rights (reading from > token in case of JWT or calling Keycloak API) > > Now I know that Sling needs to authenticate to Oak repository. My > question is: should the integration with Keycloak (or any OpenID > Connect > / Oauth2 provider) happen just in Sling, just in Oak or in both? I have tried neither so far :-) but my understanding is that Oak-level authentication should be done when you need to reuse the user/group information transparently - e.g. LDAP auth. If you need a SSO scenario you should work at the Sling level, as this is too high in the stack for Oak. Hope this gives you a little something to start with. Robert > > Could someone point out the places (modules, classes) where these > integrations could be made? I've looked at Sling authentication  > and >  but I'm still a bit confused as to how Sling relates to > authentication and authorization. From my understanding, Oak manages > access and permissions (much like PostgreSQL and other RDBMS have > support for these features). I will wait some answers here and based > on > that continue on Oak mailing list. > > >  https://auth0.com/docs/api-auth/tutorials/authorization-code-gran > t > >  http://www.keycloak.org/docs/latest/securing_apps/index.html > >  > http://jackrabbit.apache.org/oak/docs/security/authentication/preauth > entication.html > >  > https://sling.apache.org/documentation/the-sling-engine/authenticatio > n.html > >  > https://sling.apache.org/documentation/the-sling-engine/authenticatio > n/authentication-framework.html > > >