Hi Robert,
Thank you for providing the historical context. I spent the last few days
reviewing and testing https://github.com/apache/sling-whiteboard/pull/14
<https://github.com/apache/sling-whiteboard/pull/14> with Sling 11 and started
to make a few updates in a local branch mostly related to pom.xml clean-up,
error handling and logging. I noticed that the user account creation relies on
SlingRepository.loginAdministrative() which has been marked for deprecation for
some time. What’s the official position by the Sling community on using
administrative sessions for user account creation? I attempted to refactor the
code to use a service user but it seems that I am missing some of the ACLs
required to create user accounts. Is it worth using a service user for this use
case or should I just stick with SlingRepository.loginAdministrative and
whitelist the necessary bundles? I am currently using the following
provisioning definition but it does not provide sufficient access to the
service user to create a user.
[:repoinit]
create service user sling-oidc
set ACL for sling-oidc
allow jcr:read,rep:write on /home
end
Secondly, I am not sure which is the best way to go regarding a clean-room
implementation versus building on the work done in the PR above. I did a bit of
research and found that OpenID has a process for certifying implementations.
There are a couple of Java-based OpenID Connect (RP) client implementations
that are certified (https://openid.net/developers/certified/) and are Apache
licensed. The most promising seems to be
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
<https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server>, but
bringing in Spring dependencies into Sling may be a non-starter, correct?
Starting with a client library like this may be the best way to ensure a more
secure and spec-compliant implementation. I’ll take another look at what
Keycloak has in terms of a client JAR.
At any rate, I will be sharing a new GitHub project
(sling-org-apache-sling-auth-oidc) shortly with my current work. Once it’s out
there, shall I take this discussion to JIRA (SLING-2759) or continue the
discussion over the mailing list? I am new to the Sling community and would
like to follow the best practices.
Thanks,
Gaston Gonzalez
Senior Architect | www.headwire.com
> On May 10, 2019, at 12:55 AM, Robert Munteanu <romb...@apache.org> wrote:
>
> Hi Gaston,
>
> On Thu, 2019-05-09 at 12:10 -0700, Gaston Gonzalez wrote:
>> Hi All,
>>
>> I have been researching an SSO solution for Sling for the last week
>> and noticed that some work has been done around OpenID Connect.
>> During my research I stumbled upon SLING-2759 and was able to get it
>> working with Sling 11 using a couple of OpenID providers (e.g.,
>> Google Identity Platform and Auth0). This ticket has been stale since
>> August 2018 and I was wondering if I can help contribute to the
>> development of this feature. I searched the Sling dev and user
>> mailing list archives and can’t seem to find any work that would
>> supersede SLING-2759.
>>
>> Is SLING-2759 still the front runner for supporting Open ID Connect?
>> Is there a better option on the table for supporting SSO in Sling?
>>
>> I also stumbled upon an adaptTo() 2018 talk, "Modern Authentication
>> in Sling with OpenID Connect and Keycloak” (
>> https://www.youtube.com/watch?v=aaqpmmyylis <
>> https://www.youtube.com/watch?v=aaqpmmyylis
>> <https://www.youtube.com/watch?v=aaqpmmyylis>>;) that seems to suggest
>> that there is some interest in OpenID Connect + Sling.
>
> I think it would be great if you would contribute towards OpenID
> connect support in Sling! This is something I'm definitely interested
> in.
>
> As for the "historical" state, here's what I could dig up>
>
> 1. The solution in SLING-2759 has been expanded to
>
> https://github.com/apache/sling-whiteboard/pull/14
> <https://github.com/apache/sling-whiteboard/pull/14>
>
> The code is not final, and has not been reviewed by someone with a
> focus on security.
>
> 2. The KeyCloak integration has a (proof of concept?) repository at
>
> https://github.com/dteleguin/sling-keycloak-integration
> <https://github.com/dteleguin/sling-keycloak-integration>
>
> I am not sure whether building on any of those or doing a clean-room
> implementation is better, as I have no experience with OpenID connect.
>
> I also seem to remember that KeyCloak supposedly has a client jar which
> would make it much simpler to connect to OpenID connect providers, at
> least compared to the solution in SLING-2759.
>
> Anyway, let me know of any more questions, I'd be happy to help if
> needed.
>
> Thanks!
>
> Robert
