Hi Cris, It may depend on what capabilities the external OAuth provider supplies. For example, I believe some OAuth providers may provide a way to return group memberships via OAuth2 scopes?
Otherwise, the mechanism for group membership lookup may depend on what additional REST APIs that your external server provides. For example, once you have a verified OAuth token, then you might be able to use that identity to make additional https calls back to the OAuth provider to retrieve additional data. For example, with a valid facebook oauth token you could invoke their graph APIs to get a list of the groups the user is a member of. Of course, if your external oauth provider doesn't provide any mechanism for lookup of user/group profile data then you would need to figure something else out. As to where to do the group membership sync logic: If you are ok with a short delay in the group memberships being updated, then I suppose you could listen for login events and do the work in the async event handler. Otherwise, if you expect the group membership to take effect immediately during login, then doing that work in the AuthenticationHandler#extractCredentials call would probably be ok after you have verified the credentials are valid. Regards, -Eric On Wed, Dec 11, 2019 at 11:45 AM Cris Rockwell <cmroc...@umich.edu> wrote: > Hi Eric > > Thanks for the response. OAuth2 would be a handy option for user > authentication, user creation and perhaps user attributes. But I’m pretty > sure group membership would not come as part of the authentication process > data (at least not for us). With an OAuth2 approach where group membership > data is not included, would it be necessary or advisable to also use LDAP > to lookup the user groups and then add/remove the user from the JCR groups > upon sign in (or a quartz ETL-like job)? If so, I image we can add a forth > OSGI services to that list. But where should we make the call for LDAP > group membership service? Part of the custom AuthenticationHandler? Or is > Oauth2 just not a good fit given the need to manage group membership at the > identity provider? > > Cris > > > > > > > > > On Dec 11, 2019, at 1:55 PM, Eric Norman <enor...@apache.org> wrote: > > > > Hi Cris, > > > > It should be possible. For one of my projects I had to implement > something > > similar to support OAuth2 based logins to a sling based server using the > > facebook/google/twitter oauth support. > > > > I basically needed 3 main custom OSGi services to make it work: > > 1. A custom impl of AbstractAuthenticationFormServlet that was used to > > initiate the oauth challenge from custom buttons on the login page. > > 2. A custom org.apache.sling.auth.core.spi.AuthenticationHandler service > > that handles the requesting/extraction/validation of the credentials from > > the external oauth provider. I used the scribejava library for the OAuth > > conversations (https://github.com/scribejava/scribejava) > > 3. A custom org.apache.felix.jaas.LoginModuleFactory service for the > > "jackrabbit.oak" JAAS realm so the extracted oauth credentials from #2 > are > > accepted for logging in to the oak JCR repository without knowing the > > password. > > > > The impl for #2 also dealt with linking the verified external account > > identity with a local jackrabbit.oak user and copying any required > > attributes from the external account to the local user profile. > > > > Regards, > > Eric > > > > On Tue, Dec 10, 2019 at 2:34 PM Cris Rockwell <cmroc...@umich.edu> > wrote: > > > >> Hello Sling Users > >> > >> Does anyone know of a solution for SSO for Apache Sling using OIDC, > OAuth2 > >> or SAML2 using JCR-based access controls, user creation and attribute > >> synchronization, and group membership? > >> > >> This one looks interesting, but is it dead? > >> > >> > https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html > >> < > >> > https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html > >>> > >> > >> This student project looks interesting, so is our best resource? > >> https://github.com/apache/sling-whiteboard/pull/14 < > >> https://github.com/apache/sling-whiteboard/pull/14> > >> > >> > https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e > >> < > >> > https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e > >>> > >> > >> > https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow > >> < > >> > https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow > >>> > >> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler < > >> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler> > >> > >> There is this presentation about Keycloak, but as stated I’m looking to > >> manage access controls on the content. > >> > >> > https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html > >> < > >> > https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html > >>> > >> > >> Thanks! > >> Cris R > >> > >> > >> > >
