You may want to also check out Apache Oltu[0][1] which I believe Antonio Sanso 
(asanso) had a hand in building.

[0] https://github.com/apache/oltu
[1] https://oltu.apache.org/

> On Feb 14, 2018, at 6:12 AM, Robert Munteanu <romb...@apache.org> wrote:
> 
> Hi Eugen,
> 
>> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:
>> Hello,
>> 
>> I have started evaluating Sling some time now and I've reached a
>> point
>> where the blocker is whether we can integrate it with Keycloak to
>> provide single sign on.
>> 
>> A more generic question is: can Sling delegate
>> authentication/authorization to another system like Keycloak?
>> Keycloak
>> uses Openid Connect protocol for authentication and implements Oauth2
>> grant types. I imagine it should be possible and I'm willing to
>> contribute some code and document this process.
> 
> It definitely is possible. We had some old code which implemented
> openid authentication [1], but it's now retired. You should be able to
> infer how to do this, but feel free to ask.
> 
>> 
>> 
>> How Keycloak integrates with other applications is that it acts like
>> a
>> filter/proxy in front of the app. I believe that the flow would be
>> like
>> this:
>> 
>> - User access protected Sling resources
>> 
>> - Sling checks if user is authenticated by reading cookie (or maybe
>> token)
>> 
>> - If user is not authenticated, it is redirected to the Keycloak
>> server
>> 
>> - Keycloak handles auth. After successful authentication, it is
>> redirected back to the Sling with an authorization code (in
>> authorization code grant flow).
>> 
>> - Sling will have to call Keycloak API to exchange that code with an
>> access token (Oauth2) and an identity token (OpenID Connect).
>> 
>> - Sling can use those tokens to determine access rights (reading from
>> token in case of JWT or calling Keycloak API)
>> 
>> Now I know that Sling needs to authenticate to Oak repository. My
>> question is: should the integration with Keycloak (or any OpenID
>> Connect
>> / Oauth2 provider) happen just in Sling, just in Oak or in both?
> 
> I have tried neither so far :-) but my understanding is that Oak-level
> authentication should be done when you need to reuse the user/group
> information transparently - e.g. LDAP auth. If you need a SSO scenario
> you should work at the Sling level, as this is too high in the stack
> for Oak.
> 
> Hope this gives you a little something to start with.
> 
> Robert
> 
>> 
>> Could someone point out the places (modules, classes) where these
>> integrations could be made? I've looked at Sling authentication [4]
>> and 
>> [5] but I'm still a bit confused as to how Sling relates to
>> authentication and authorization. From my understanding, Oak manages
>> access and permissions (much like PostgreSQL and other RDBMS have
>> support for these features). I will wait some answers here and based
>> on
>> that continue on Oak mailing list.  
>> 
>> 
>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
>> t
>> 
>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
>> 
>> [3]
>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
>> entication.html
>> 
>> [4]
>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>> n.html 
>> 
>> [5]
>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>> n/authentication-framework.html
>> 
>> 
>> 
> 

Reply via email to