Hi, Thank you all for the feedback so far. I think that in the first iteration I will go with a single user approache.
Later I will look into the synchronizing users and groups if necessary. I believe/hope I can avoid that by leveraging authorization information in the identity token (JWT) / or keycloak API. That way I think I will be able to authorize requests based on user attributes and context (web path/ repository path, etc). It's time for a POC ! I will keep you posted. Thanks, On 14.02.2018 16:55, Chris Millar wrote: > You may want to also check out Apache Oltu[0][1] which I believe Antonio > Sanso (asanso) had a hand in building. > > [0] https://github.com/apache/oltu > [1] https://oltu.apache.org/ > >> On Feb 14, 2018, at 6:12 AM, Robert Munteanu <[email protected]> wrote: >> >> Hi Eugen, >> >>> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote: >>> Hello, >>> >>> I have started evaluating Sling some time now and I've reached a >>> point >>> where the blocker is whether we can integrate it with Keycloak to >>> provide single sign on. >>> >>> A more generic question is: can Sling delegate >>> authentication/authorization to another system like Keycloak? >>> Keycloak >>> uses Openid Connect protocol for authentication and implements Oauth2 >>> grant types. I imagine it should be possible and I'm willing to >>> contribute some code and document this process. >> It definitely is possible. We had some old code which implemented >> openid authentication [1], but it's now retired. You should be able to >> infer how to do this, but feel free to ask. >> >>> >>> How Keycloak integrates with other applications is that it acts like >>> a >>> filter/proxy in front of the app. I believe that the flow would be >>> like >>> this: >>> >>> - User access protected Sling resources >>> >>> - Sling checks if user is authenticated by reading cookie (or maybe >>> token) >>> >>> - If user is not authenticated, it is redirected to the Keycloak >>> server >>> >>> - Keycloak handles auth. After successful authentication, it is >>> redirected back to the Sling with an authorization code (in >>> authorization code grant flow). >>> >>> - Sling will have to call Keycloak API to exchange that code with an >>> access token (Oauth2) and an identity token (OpenID Connect). >>> >>> - Sling can use those tokens to determine access rights (reading from >>> token in case of JWT or calling Keycloak API) >>> >>> Now I know that Sling needs to authenticate to Oak repository. My >>> question is: should the integration with Keycloak (or any OpenID >>> Connect >>> / Oauth2 provider) happen just in Sling, just in Oak or in both? >> I have tried neither so far :-) but my understanding is that Oak-level >> authentication should be done when you need to reuse the user/group >> information transparently - e.g. LDAP auth. If you need a SSO scenario >> you should work at the Sling level, as this is too high in the stack >> for Oak. >> >> Hope this gives you a little something to start with. >> >> Robert >> >>> Could someone point out the places (modules, classes) where these >>> integrations could be made? I've looked at Sling authentication [4] >>> and >>> [5] but I'm still a bit confused as to how Sling relates to >>> authentication and authorization. From my understanding, Oak manages >>> access and permissions (much like PostgreSQL and other RDBMS have >>> support for these features). I will wait some answers here and based >>> on >>> that continue on Oak mailing list. >>> >>> >>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran >>> t >>> >>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html >>> >>> [3] >>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth >>> entication.html >>> >>> [4] >>> https://sling.apache.org/documentation/the-sling-engine/authenticatio >>> n.html >>> >>> [5] >>> https://sling.apache.org/documentation/the-sling-engine/authenticatio >>> n/authentication-framework.html >>> >>> >>>
signature.asc
Description: OpenPGP digital signature
