Hi Eric Thanks for the response. OAuth2 would be a handy option for user authentication, user creation and perhaps user attributes. But I’m pretty sure group membership would not come as part of the authentication process data (at least not for us). With an OAuth2 approach where group membership data is not included, would it be necessary or advisable to also use LDAP to lookup the user groups and then add/remove the user from the JCR groups upon sign in (or a quartz ETL-like job)? If so, I image we can add a forth OSGI services to that list. But where should we make the call for LDAP group membership service? Part of the custom AuthenticationHandler? Or is Oauth2 just not a good fit given the need to manage group membership at the identity provider?
Cris > On Dec 11, 2019, at 1:55 PM, Eric Norman <enor...@apache.org> wrote: > > Hi Cris, > > It should be possible. For one of my projects I had to implement something > similar to support OAuth2 based logins to a sling based server using the > facebook/google/twitter oauth support. > > I basically needed 3 main custom OSGi services to make it work: > 1. A custom impl of AbstractAuthenticationFormServlet that was used to > initiate the oauth challenge from custom buttons on the login page. > 2. A custom org.apache.sling.auth.core.spi.AuthenticationHandler service > that handles the requesting/extraction/validation of the credentials from > the external oauth provider. I used the scribejava library for the OAuth > conversations (https://github.com/scribejava/scribejava) > 3. A custom org.apache.felix.jaas.LoginModuleFactory service for the > "jackrabbit.oak" JAAS realm so the extracted oauth credentials from #2 are > accepted for logging in to the oak JCR repository without knowing the > password. > > The impl for #2 also dealt with linking the verified external account > identity with a local jackrabbit.oak user and copying any required > attributes from the external account to the local user profile. > > Regards, > Eric > > On Tue, Dec 10, 2019 at 2:34 PM Cris Rockwell <cmroc...@umich.edu> wrote: > >> Hello Sling Users >> >> Does anyone know of a solution for SSO for Apache Sling using OIDC, OAuth2 >> or SAML2 using JCR-based access controls, user creation and attribute >> synchronization, and group membership? >> >> This one looks interesting, but is it dead? >> >> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html >> < >> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html >>> >> >> This student project looks interesting, so is our best resource? >> https://github.com/apache/sling-whiteboard/pull/14 < >> https://github.com/apache/sling-whiteboard/pull/14> >> >> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e >> < >> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e >>> >> >> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow >> < >> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow >>> >> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler < >> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler> >> >> There is this presentation about Keycloak, but as stated I’m looking to >> manage access controls on the content. >> >> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html >> < >> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html >>> >> >> Thanks! >> Cris R >> >> >>
