Hello Dmitry, I would love to work with you on this functionality and to present it as part of an AdaptTo talk together with you. I believe in sharing is beneficial in this situation.
Let's talk more about both implementing and sending submitting an AdaptTo talk together. My interest is both personal and professional. We are migration parts of our services to Sling and Oak as content repository. Also Keycloak is one architectural component and we need to integrate them. We use Kubernetes as a deployment environment. I'll send you my personal details via individual email. Let's make a call/chat regarding AdaptTo and then figure out the details on how to impleemnt things. Regards, Eugen On 30.03.2018 07:32, Dmitry Telegin wrote: > Hi, > > I've been investigating the same topic for some time; glad to hear I'm > not alone :) > > I'm myself an experienced Keycloak user and also a contributor; I'm > working for a company that offers Keycloak services and consulting > (however, my interest in integrating Sling with Keycloak is stipulated > by my personal project). > > I was planning to do a detailed post describing what it's all about / > how it works / what needs to be done on Sling/Oak/KC sides etc.; even > though you did an excellent introductory post, I think it won't hurt > if I'll complete and publish mine too. > Before that, I'd like to draw attention to some details: > - to make things simpler, we can start with the so called bearer-only > mode, which is topical for HTML5/JS applications. In this mode, it's > the HTML5 app's responsibility to obtain a token (via redirect / > iframe / direct grant etc.), so no redirect is required on a server > side (however, REST services still need to validate JWT token passed > via "Authorization: bearer XXX" header); > - as you've already mentioned, sooner or later we will have to tackle > the problem of user synchronization between Oak and KC. I think we > should avoid any KC-specific code here. One of the options would be to > implement SCIM[1] support for Keycloak (see also a JIRA issue [2]). > From what I've learned yet, that shouldn't be too hard, provided there > are libraries like SCIM SDK[3] from PingIdentity. This will also open > an opportunity to use Sling in the same manner with other SCIM+OIDC > compliant IDM solutions like WSO2. > > By the way, are you interested in doing an adaptTo() 2018 talk on > this? In case you were planning to do that yourself, would you mind me > joining you (I'm an experienced speaker)? Otherwise, would you mind > joining me? :) I know that call for papers deadline is close, but I > think we could give it a try. Question to the community: assuming that > we'll have working code by August/September, do you guys think this > could be a good topic for an adaptTo() talk? > > Let me know what you think! > > Cheers, > Dmitry > > [1] > https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management > [2] https://issues.jboss.org/browse/KEYCLOAK-2537 > [3] https://github.com/pingidentity/scim > >> Hello, >> >> I have started evaluating Sling some time now and I've reached a point >> where the blocker is whether we can integrate it with Keycloak to >> provide single sign on. >> >> A more generic question is: can Sling delegate >> authentication/authorization to another system like Keycloak? Keycloak >> uses Openid Connect protocol for authentication and implements Oauth2 >> grant types. I imagine it should be possible and I'm willing to >> contribute some code and document this process. >> >> >> How Keycloak integrates with other applications is that it acts like a >> filter/proxy in front of the app. I believe that the flow would be like >> this: >> >> - User access protected Sling resources >> >> - Sling checks if user is authenticated by reading cookie (or maybe token) >> >> - If user is not authenticated, it is redirected to the Keycloak server >> >> - Keycloak handles auth. After successful authentication, it is >> redirected back to the Sling with an authorization code (in >> authorization code grant flow). >> >> - Sling will have to call Keycloak API to exchange that code with an >> access token (Oauth2) and an identity token (OpenID Connect). >> >> - Sling can use those tokens to determine access rights (reading from >> token in case of JWT or calling Keycloak API) >> >> Now I know that Sling needs to authenticate to Oak repository. My >> question is: should the integration with Keycloak (or any OpenID Connect >> / Oauth2 provider) happen just in Sling, just in Oak or in both? >> >> Could someone point out the places (modules, classes) where these >> integrations could be made? I've looked at Sling authentication [4] and >> [5] but I'm still a bit confused as to how Sling relates to >> authentication and authorization. From my understanding, Oak manages >> access and permissions (much like PostgreSQL and other RDBMS have >> support for these features). I will wait some answers here and based on >> that continue on Oak mailing list. >> >> >> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant >> >> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html >> >> [3] >> http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html >> >> [4] >> https://sling.apache.org/documentation/the-sling-engine/authentication.html >> >> [5] >> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html >> >> >>
signature.asc
Description: OpenPGP digital signature
