Hi Eugen,

On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:
> Hello,
> 
> I have started evaluating Sling some time now and I've reached a
> point
> where the blocker is whether we can integrate it with Keycloak to
> provide single sign on.
> 
> A more generic question is: can Sling delegate
> authentication/authorization to another system like Keycloak?
> Keycloak
> uses Openid Connect protocol for authentication and implements Oauth2
> grant types. I imagine it should be possible and I'm willing to
> contribute some code and document this process.

It definitely is possible. We had some old code which implemented
openid authentication [1], but it's now retired. You should be able to
infer how to do this, but feel free to ask.

> 
> 
> How Keycloak integrates with other applications is that it acts like
> a
> filter/proxy in front of the app. I believe that the flow would be
> like
> this:
> 
> - User access protected Sling resources
> 
> - Sling checks if user is authenticated by reading cookie (or maybe
> token)
> 
> - If user is not authenticated, it is redirected to the Keycloak
> server
> 
> - Keycloak handles auth. After successful authentication, it is
> redirected back to the Sling with an authorization code (in
> authorization code grant flow).
> 
> - Sling will have to call Keycloak API to exchange that code with an
> access token (Oauth2) and an identity token (OpenID Connect).
> 
> - Sling can use those tokens to determine access rights (reading from
> token in case of JWT or calling Keycloak API)
> 
> Now I know that Sling needs to authenticate to Oak repository. My
> question is: should the integration with Keycloak (or any OpenID
> Connect
> / Oauth2 provider) happen just in Sling, just in Oak or in both?

I have tried neither so far :-) but my understanding is that Oak-level
authentication should be done when you need to reuse the user/group
information transparently - e.g. LDAP auth. If you need a SSO scenario
you should work at the Sling level, as this is too high in the stack
for Oak.

Hope this gives you a little something to start with.

Robert

> 
> Could someone point out the places (modules, classes) where these
> integrations could be made? I've looked at Sling authentication [4]
> and 
> [5] but I'm still a bit confused as to how Sling relates to
> authentication and authorization. From my understanding, Oak manages
> access and permissions (much like PostgreSQL and other RDBMS have
> support for these features). I will wait some answers here and based
> on
> that continue on Oak mailing list.  
> 
> 
> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
> t
> 
> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
> 
> [3]
> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
> entication.html
> 
> [4]
> https://sling.apache.org/documentation/the-sling-engine/authenticatio
> n.html 
> 
> [5]
> https://sling.apache.org/documentation/the-sling-engine/authenticatio
> n/authentication-framework.html
> 
> 
> 

Reply via email to