sling with sso - with oauth2 / openid connect

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

sling with sso - with oauth2 / openid connect

Eugen Stan-2
Hello,

I have started evaluating Sling some time now and I've reached a point
where the blocker is whether we can integrate it with Keycloak to
provide single sign on.

A more generic question is: can Sling delegate
authentication/authorization to another system like Keycloak? Keycloak
uses Openid Connect protocol for authentication and implements Oauth2
grant types. I imagine it should be possible and I'm willing to
contribute some code and document this process.


How Keycloak integrates with other applications is that it acts like a
filter/proxy in front of the app. I believe that the flow would be like
this:

- User access protected Sling resources

- Sling checks if user is authenticated by reading cookie (or maybe token)

- If user is not authenticated, it is redirected to the Keycloak server

- Keycloak handles auth. After successful authentication, it is
redirected back to the Sling with an authorization code (in
authorization code grant flow).

- Sling will have to call Keycloak API to exchange that code with an
access token (Oauth2) and an identity token (OpenID Connect).

- Sling can use those tokens to determine access rights (reading from
token in case of JWT or calling Keycloak API)

Now I know that Sling needs to authenticate to Oak repository. My
question is: should the integration with Keycloak (or any OpenID Connect
/ Oauth2 provider) happen just in Sling, just in Oak or in both?

Could someone point out the places (modules, classes) where these
integrations could be made? I've looked at Sling authentication [4] and 
[5] but I'm still a bit confused as to how Sling relates to
authentication and authorization. From my understanding, Oak manages
access and permissions (much like PostgreSQL and other RDBMS have
support for these features). I will wait some answers here and based on
that continue on Oak mailing list.  


[1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

[2] http://www.keycloak.org/docs/latest/securing_apps/index.html

[3]
http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html

[4]
https://sling.apache.org/documentation/the-sling-engine/authentication.html 

[5]
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html




signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: sling with sso - with oauth2 / openid connect

Jason Bailey
Here are some authentication implementations and their source code

https://github.com/apache?utf8=%E2%9C%93&q=sling+auth

It's been a while since I touched this, so I hope I'm not too off base here. There are two parts to an access control system, authentication and authorization.
It should be straightforward to tie in an external authentication mechanism, what might be confusing is that once you have an authenticated user you need to associate a user that is defined in Sling to that authenticated person. Because it's that user that's defined in Sling that provides the authorization for the content.

There's a couple of ways of handling the users within Sling. If you had broad categories of access, say that you need them authenticated but once authenticated they don't have separate access rights.
1. You'd create a generic user and assign access controls to that user
2. Once authenticate you could then provide the credentials for that generic user you had created.

If you wanted more fine grain control. Let's say a different user for each authenticated person, you would need to create or import that person into Sling at which point, on Authentication, you can associate the specific Sling user that matches their ID.

Conceivably you could even, on authentication, create the user if that user is not there and then add that user to defined groups which have the ACLs defined. The last time I did that though, which was 6-7 years ago it was a bit labor intensive.

Here's a bundle  provides a way to manage users in Sling
https://sling.apache.org/documentation/bundles/managing-users-and-groups-jackrabbit-usermanager.html#create-user

-Jason



-----Original Message-----
From: Ioan Eugen Stan [mailto:[hidden email]]
Sent: Tuesday, February 13, 2018 12:46 PM
To: [hidden email]
Subject: sling with sso - with oauth2 / openid connect

Hello,

I have started evaluating Sling some time now and I've reached a point where the blocker is whether we can integrate it with Keycloak to provide single sign on.

A more generic question is: can Sling delegate authentication/authorization to another system like Keycloak? Keycloak uses Openid Connect protocol for authentication and implements Oauth2 grant types. I imagine it should be possible and I'm willing to contribute some code and document this process.


How Keycloak integrates with other applications is that it acts like a filter/proxy in front of the app. I believe that the flow would be like
this:

- User access protected Sling resources

- Sling checks if user is authenticated by reading cookie (or maybe token)

- If user is not authenticated, it is redirected to the Keycloak server

- Keycloak handles auth. After successful authentication, it is redirected back to the Sling with an authorization code (in authorization code grant flow).

- Sling will have to call Keycloak API to exchange that code with an access token (Oauth2) and an identity token (OpenID Connect).

- Sling can use those tokens to determine access rights (reading from token in case of JWT or calling Keycloak API)

Now I know that Sling needs to authenticate to Oak repository. My question is: should the integration with Keycloak (or any OpenID Connect / Oauth2 provider) happen just in Sling, just in Oak or in both?

Could someone point out the places (modules, classes) where these integrations could be made? I've looked at Sling authentication [4] and [5] but I'm still a bit confused as to how Sling relates to authentication and authorization. From my understanding, Oak manages access and permissions (much like PostgreSQL and other RDBMS have support for these features). I will wait some answers here and based on that continue on Oak mailing list.  


[1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

[2] http://www.keycloak.org/docs/latest/securing_apps/index.html

[3]
http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html

[4]
https://sling.apache.org/documentation/the-sling-engine/authentication.html 

[5]
https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html



Reply | Threaded
Open this post in threaded view
|

Re: sling with sso - with oauth2 / openid connect

Robert Munteanu-2
In reply to this post by Eugen Stan-2
Hi Eugen,

On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:

> Hello,
>
> I have started evaluating Sling some time now and I've reached a
> point
> where the blocker is whether we can integrate it with Keycloak to
> provide single sign on.
>
> A more generic question is: can Sling delegate
> authentication/authorization to another system like Keycloak?
> Keycloak
> uses Openid Connect protocol for authentication and implements Oauth2
> grant types. I imagine it should be possible and I'm willing to
> contribute some code and document this process.

It definitely is possible. We had some old code which implemented
openid authentication [1], but it's now retired. You should be able to
infer how to do this, but feel free to ask.

>
>
> How Keycloak integrates with other applications is that it acts like
> a
> filter/proxy in front of the app. I believe that the flow would be
> like
> this:
>
> - User access protected Sling resources
>
> - Sling checks if user is authenticated by reading cookie (or maybe
> token)
>
> - If user is not authenticated, it is redirected to the Keycloak
> server
>
> - Keycloak handles auth. After successful authentication, it is
> redirected back to the Sling with an authorization code (in
> authorization code grant flow).
>
> - Sling will have to call Keycloak API to exchange that code with an
> access token (Oauth2) and an identity token (OpenID Connect).
>
> - Sling can use those tokens to determine access rights (reading from
> token in case of JWT or calling Keycloak API)
>
> Now I know that Sling needs to authenticate to Oak repository. My
> question is: should the integration with Keycloak (or any OpenID
> Connect
> / Oauth2 provider) happen just in Sling, just in Oak or in both?

I have tried neither so far :-) but my understanding is that Oak-level
authentication should be done when you need to reuse the user/group
information transparently - e.g. LDAP auth. If you need a SSO scenario
you should work at the Sling level, as this is too high in the stack
for Oak.

Hope this gives you a little something to start with.

Robert

>
> Could someone point out the places (modules, classes) where these
> integrations could be made? I've looked at Sling authentication [4]
> and
> [5] but I'm still a bit confused as to how Sling relates to
> authentication and authorization. From my understanding, Oak manages
> access and permissions (much like PostgreSQL and other RDBMS have
> support for these features). I will wait some answers here and based
> on
> that continue on Oak mailing list.  
>
>
> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
> t
>
> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
>
> [3]
> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
> entication.html
>
> [4]
> https://sling.apache.org/documentation/the-sling-engine/authenticatio
> n.html
>
> [5]
> https://sling.apache.org/documentation/the-sling-engine/authenticatio
> n/authentication-framework.html
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: sling with sso - with oauth2 / openid connect

chrismillar
You may want to also check out Apache Oltu[0][1] which I believe Antonio Sanso (asanso) had a hand in building.

[0] https://github.com/apache/oltu
[1] https://oltu.apache.org/

> On Feb 14, 2018, at 6:12 AM, Robert Munteanu <[hidden email]> wrote:
>
> Hi Eugen,
>
>> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:
>> Hello,
>>
>> I have started evaluating Sling some time now and I've reached a
>> point
>> where the blocker is whether we can integrate it with Keycloak to
>> provide single sign on.
>>
>> A more generic question is: can Sling delegate
>> authentication/authorization to another system like Keycloak?
>> Keycloak
>> uses Openid Connect protocol for authentication and implements Oauth2
>> grant types. I imagine it should be possible and I'm willing to
>> contribute some code and document this process.
>
> It definitely is possible. We had some old code which implemented
> openid authentication [1], but it's now retired. You should be able to
> infer how to do this, but feel free to ask.
>
>>
>>
>> How Keycloak integrates with other applications is that it acts like
>> a
>> filter/proxy in front of the app. I believe that the flow would be
>> like
>> this:
>>
>> - User access protected Sling resources
>>
>> - Sling checks if user is authenticated by reading cookie (or maybe
>> token)
>>
>> - If user is not authenticated, it is redirected to the Keycloak
>> server
>>
>> - Keycloak handles auth. After successful authentication, it is
>> redirected back to the Sling with an authorization code (in
>> authorization code grant flow).
>>
>> - Sling will have to call Keycloak API to exchange that code with an
>> access token (Oauth2) and an identity token (OpenID Connect).
>>
>> - Sling can use those tokens to determine access rights (reading from
>> token in case of JWT or calling Keycloak API)
>>
>> Now I know that Sling needs to authenticate to Oak repository. My
>> question is: should the integration with Keycloak (or any OpenID
>> Connect
>> / Oauth2 provider) happen just in Sling, just in Oak or in both?
>
> I have tried neither so far :-) but my understanding is that Oak-level
> authentication should be done when you need to reuse the user/group
> information transparently - e.g. LDAP auth. If you need a SSO scenario
> you should work at the Sling level, as this is too high in the stack
> for Oak.
>
> Hope this gives you a little something to start with.
>
> Robert
>
>>
>> Could someone point out the places (modules, classes) where these
>> integrations could be made? I've looked at Sling authentication [4]
>> and
>> [5] but I'm still a bit confused as to how Sling relates to
>> authentication and authorization. From my understanding, Oak manages
>> access and permissions (much like PostgreSQL and other RDBMS have
>> support for these features). I will wait some answers here and based
>> on
>> that continue on Oak mailing list.  
>>
>>
>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
>> t
>>
>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
>>
>> [3]
>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
>> entication.html
>>
>> [4]
>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>> n.html
>>
>> [5]
>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>> n/authentication-framework.html
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: sling with sso - with oauth2 / openid connect

Eugen Stan-2
Hi,

Thank you all for the feedback so far. I think that in the first
iteration I will go with a single user approache.

Later I will look into the synchronizing users and groups if necessary.

I believe/hope I can avoid that by leveraging authorization information
in the identity token (JWT) / or keycloak API.

That way I think I will be able to authorize requests based on user
attributes and context (web path/ repository path, etc).

It's time for a POC ! I will keep you posted. 

Thanks,


On 14.02.2018 16:55, Chris Millar wrote:

> You may want to also check out Apache Oltu[0][1] which I believe Antonio Sanso (asanso) had a hand in building.
>
> [0] https://github.com/apache/oltu
> [1] https://oltu.apache.org/
>
>> On Feb 14, 2018, at 6:12 AM, Robert Munteanu <[hidden email]> wrote:
>>
>> Hi Eugen,
>>
>>> On Tue, 2018-02-13 at 19:46 +0200, Ioan Eugen Stan wrote:
>>> Hello,
>>>
>>> I have started evaluating Sling some time now and I've reached a
>>> point
>>> where the blocker is whether we can integrate it with Keycloak to
>>> provide single sign on.
>>>
>>> A more generic question is: can Sling delegate
>>> authentication/authorization to another system like Keycloak?
>>> Keycloak
>>> uses Openid Connect protocol for authentication and implements Oauth2
>>> grant types. I imagine it should be possible and I'm willing to
>>> contribute some code and document this process.
>> It definitely is possible. We had some old code which implemented
>> openid authentication [1], but it's now retired. You should be able to
>> infer how to do this, but feel free to ask.
>>
>>>
>>> How Keycloak integrates with other applications is that it acts like
>>> a
>>> filter/proxy in front of the app. I believe that the flow would be
>>> like
>>> this:
>>>
>>> - User access protected Sling resources
>>>
>>> - Sling checks if user is authenticated by reading cookie (or maybe
>>> token)
>>>
>>> - If user is not authenticated, it is redirected to the Keycloak
>>> server
>>>
>>> - Keycloak handles auth. After successful authentication, it is
>>> redirected back to the Sling with an authorization code (in
>>> authorization code grant flow).
>>>
>>> - Sling will have to call Keycloak API to exchange that code with an
>>> access token (Oauth2) and an identity token (OpenID Connect).
>>>
>>> - Sling can use those tokens to determine access rights (reading from
>>> token in case of JWT or calling Keycloak API)
>>>
>>> Now I know that Sling needs to authenticate to Oak repository. My
>>> question is: should the integration with Keycloak (or any OpenID
>>> Connect
>>> / Oauth2 provider) happen just in Sling, just in Oak or in both?
>> I have tried neither so far :-) but my understanding is that Oak-level
>> authentication should be done when you need to reuse the user/group
>> information transparently - e.g. LDAP auth. If you need a SSO scenario
>> you should work at the Sling level, as this is too high in the stack
>> for Oak.
>>
>> Hope this gives you a little something to start with.
>>
>> Robert
>>
>>> Could someone point out the places (modules, classes) where these
>>> integrations could be made? I've looked at Sling authentication [4]
>>> and
>>> [5] but I'm still a bit confused as to how Sling relates to
>>> authentication and authorization. From my understanding, Oak manages
>>> access and permissions (much like PostgreSQL and other RDBMS have
>>> support for these features). I will wait some answers here and based
>>> on
>>> that continue on Oak mailing list.  
>>>
>>>
>>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-gran
>>> t
>>>
>>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
>>>
>>> [3]
>>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauth
>>> entication.html
>>>
>>> [4]
>>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>>> n.html
>>>
>>> [5]
>>> https://sling.apache.org/documentation/the-sling-engine/authenticatio
>>> n/authentication-framework.html
>>>
>>>
>>>


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: sling with sso - with oauth2 / openid connect

Eugen Stan-2
In reply to this post by Eugen Stan-2
Hello Dmitry,

I would love to work with you on this functionality and to present it as
part of an AdaptTo talk together with you. I believe in sharing is
beneficial in this situation.

Let's talk more about both implementing and sending submitting an
AdaptTo talk together.

My interest is both personal and professional. We are migration parts of
our services to Sling and Oak as content repository.

Also Keycloak is one architectural component and we need to integrate
them. We use Kubernetes as a deployment environment.

I'll send you my personal details via individual email. Let's make a
call/chat regarding AdaptTo and then figure out the details on how to
impleemnt things.

Regards,

Eugen


On 30.03.2018 07:32, Dmitry Telegin wrote:

> Hi,
>
> I've been investigating the same topic for some time; glad to hear I'm
> not alone :)
>
> I'm myself an experienced Keycloak user and also a contributor; I'm
> working for a company that offers Keycloak services and consulting
> (however, my interest in integrating Sling with Keycloak is stipulated
> by my personal project).
>
> I was planning to do a detailed post describing what it's all about /
> how it works / what needs to be done on Sling/Oak/KC sides etc.; even
> though you did an excellent introductory post, I think it won't hurt
> if I'll complete and publish mine too.
> Before that, I'd like to draw attention to some details:
> - to make things simpler, we can start with the so called bearer-only
> mode, which is topical for HTML5/JS applications. In this mode, it's
> the HTML5 app's responsibility to obtain a token (via redirect /
> iframe / direct grant etc.), so no redirect is required on a server
> side (however, REST services still need to validate JWT token passed
> via "Authorization: bearer XXX" header);
> - as you've already mentioned, sooner or later we will have to tackle
> the problem of user synchronization between Oak and KC. I think we
> should avoid any KC-specific code here. One of the options would be to
> implement SCIM[1] support for Keycloak (see also a JIRA issue [2]).
> From what I've learned yet, that shouldn't be too hard, provided there
> are libraries like SCIM SDK[3] from PingIdentity. This will also open
> an opportunity to use Sling in the same manner with other SCIM+OIDC
> compliant IDM solutions like WSO2.
>
> By the way, are you interested in doing an adaptTo() 2018 talk on
> this? In case you were planning to do that yourself, would you mind me
> joining you (I'm an experienced speaker)? Otherwise, would you mind
> joining me? :) I know that call for papers deadline is close, but I
> think we could give it a try. Question to the community: assuming that
> we'll have working code by August/September, do you guys think this
> could be a good topic for an adaptTo() talk?
>
> Let me know what you think!
>
> Cheers,
> Dmitry
>
> [1]
> https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management
> [2] https://issues.jboss.org/browse/KEYCLOAK-2537
> [3] https://github.com/pingidentity/scim
>
>> Hello,
>>
>> I have started evaluating Sling some time now and I've reached a point
>> where the blocker is whether we can integrate it with Keycloak to
>> provide single sign on.
>>
>> A more generic question is: can Sling delegate
>> authentication/authorization to another system like Keycloak? Keycloak
>> uses Openid Connect protocol for authentication and implements Oauth2
>> grant types. I imagine it should be possible and I'm willing to
>> contribute some code and document this process.
>>
>>
>> How Keycloak integrates with other applications is that it acts like a
>> filter/proxy in front of the app. I believe that the flow would be like
>> this:
>>
>> - User access protected Sling resources
>>
>> - Sling checks if user is authenticated by reading cookie (or maybe token)
>>
>> - If user is not authenticated, it is redirected to the Keycloak server
>>
>> - Keycloak handles auth. After successful authentication, it is
>> redirected back to the Sling with an authorization code (in
>> authorization code grant flow).
>>
>> - Sling will have to call Keycloak API to exchange that code with an
>> access token (Oauth2) and an identity token (OpenID Connect).
>>
>> - Sling can use those tokens to determine access rights (reading from
>> token in case of JWT or calling Keycloak API)
>>
>> Now I know that Sling needs to authenticate to Oak repository. My
>> question is: should the integration with Keycloak (or any OpenID Connect
>> / Oauth2 provider) happen just in Sling, just in Oak or in both?
>>
>> Could someone point out the places (modules, classes) where these
>> integrations could be made? I've looked at Sling authentication [4] and 
>> [5] but I'm still a bit confused as to how Sling relates to
>> authentication and authorization. From my understanding, Oak manages
>> access and permissions (much like PostgreSQL and other RDBMS have
>> support for these features). I will wait some answers here and based on
>> that continue on Oak mailing list.  
>>
>>
>> [1] https://auth0.com/docs/api-auth/tutorials/authorization-code-grant
>>
>> [2] http://www.keycloak.org/docs/latest/securing_apps/index.html
>>
>> [3]
>> http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html
>>
>> [4]
>> https://sling.apache.org/documentation/the-sling-engine/authentication.html 
>>
>> [5]
>> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-framework.html
>>
>>
>>


signature.asc (499 bytes) Download Attachment