You may want to also check out Apache Oltu[0][1] which I believe Antonio Sanso (asanso) had a hand in building.
[0] https://github.com/apache/oltu [1] https://oltu.apache.org/ > On Feb 14, 2018, at 6:12 AM, Robert Munteanu <[email protected]> wrote: > > Hi Eugen, > >> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote: >> Hello, >> >> I have started evaluating Sling some time now and I've reached a >> point >> where the blocker is whether we can integrate it with Keycloak to >> provide single sign on. >> >> A more generic question is: can Sling delegate >> authentication/authorization to another system like Keycloak? >> Keycloak >> uses Openid Connect protocol for authentication and implements Oauth2 >> grant types. I imagine it should be possible and I'm willing to >> contribute some code and document this process. > > It definitely is possible. We had some old code which implemented > openid authentication [1], but it's now retired. You should be able to > infer how to do this, but feel free to ask. > >> >> >> How Keycloak integrates with other applications is that it acts like >> a >> filter/proxy in front of the app. I believe that the flow would be >> like >> this: >> >> - User access protected Sling resources >> >> - Sling checks if user is authenticated by reading cookie (or maybe >> token) >> >> - If user is not authenticated, it is redirected to the Keycloak >> server >> >> - Keycloak handles auth. After successful authentication, it is >> redirected back to the Sling with an authorization code (in >> authorization code grant flow). >> >> - Sling will have to call Keycloak API to exchange that code with an >> access token (Oauth2) and an identity token (OpenID Connect). >> >> - Sling can use those tokens to determine access rights (reading from >> token in case of JWT or calling Keycloak API) >> >> Now I know that Sling needs to authenticate to Oak repository. My >> question is: should the integration with Keycloak (or any OpenID >> Connect >> / Oauth2 provider) happen just in Sling, just in Oak or in both? > > I have tried neither so far :-) but my understanding is that Oak-level > authentication should be done when you need to reuse the user/group > information transparently - e.g. LDAP auth. If you need a SSO scenario > you should work at the Sling level, as this is too high in the stack > for Oak. > > Hope this gives you a little something to start with. > > Robert > >> >> Could someone point out the places (modules, classes) where these >> integrations could be made? I've looked at Sling authentication [4] >> and >> [5] but I'm still a bit confused as to how Sling relates to >> authentication and authorization. From my understanding, Oak manages >> access and permissions (much like PostgreSQL and other RDBMS have >> support for these features). I will wait some answers here and based >> on >> that continue on Oak mailing list. >> >> >> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran >> t >> >> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html >> >> [3] >> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth >> entication.html >> >> [4] >> https://sling.apache.org/documentation/the-sling-engine/authenticatio >> n.html >> >> [5] >> https://sling.apache.org/documentation/the-sling-engine/authenticatio >> n/authentication-framework.html >> >> >> >
