dgradecak / alfresco-jwt-auth Goto Github PK
View Code? Open in Web Editor NEWAlfresco Identity Service without Keycloak - but with a custom signed JWT
License: Apache License 2.0
Alfresco Identity Service without Keycloak - but with a custom signed JWT
License: Apache License 2.0
Hi, First thanks for the hard work here giving some light on how to achieve OAuth with Alfresco
I am trying to reproduce this example. I have set everything in an Alfresco 6.2 community as it is and how it is stated in the example here but when I start alfresco I get the following exception
`
wks-docker-wks-platform-repo-acs-1 | Caused by: java.lang.NullPointerException
wks-docker-wks-platform-repo-acs-1 | at org.keycloak.adapters.KeycloakDeployment.getClient(KeycloakDeployment.java:264)
wks-docker-wks-platform-repo-acs-1 | ... 59 more
`
Any idea?
Thanks in advance
Hi!
I am testing in Alfresco 7.0 and I found a bug in alfresco-jwt-auth-subsystem module
this class is not found => org.alfresco.repo.security.authentication.cloudgateway.IdentityServiceRemoteUserMapper
Maybe is a error in package cloudgateway ?
Thank you!
Hi again,
I think I have everything set correctly, I didn't go further really off the example. When I use username and password in the gateway I get this:
{ "error": { "errorKey": "framework.exception.ApiDefault", "statusCode": 401, "briefSummary": "00260002 Authorization 'Bearer' not supported.", "stackTrace": "For security reasons the stack trace is no longer displayed, but the property is kept for previous versions", "descriptionURL": "https://api-explorer.alfresco.com" } }
Also, I am not sure what should I put in the redirect-uri. I am using google cloud only for testing and when I click to sign in with google it always sends me to the http://localhost:9595/login page
Thanks in advance
Most identity-providers offer JWKS URI for getting public key to validate the token. This is useful especially when there are rotating keys and JWT indicates use of kid in header. Currently we have only single public key passed as property
alfresco-jwt.realm-public-key=
If we have jwks uri then it could potentially reduce key copy pasting issue and will also handle rotating keys.
For example:
alfresco-jwt.jwks-uri=
Public key can be then be fetched from e.g. http://localhost:8180/cas/oidc/jwks
Thanks.
So, in Alfresco Document Management Repository we are allowed to setup identity-server (like you have done in this codebase) that can be used to authenticate / authorise users to browse folders/ files etc. In the solution (that is skewed by Keycloak (style) as identity server), following checks are made on the bearer token:
Note that we have a mandatory element of realm in the url, which can cause validation to fail as not all identity providers follow that pattern.
e.g. is Apereo CAS it is https://identity-server:port/cas/oidc
where cas can be context and oidc can be realm-name but they keyword realm has no place in the URL.
Idea is to make properties such that this matching criteria can be made flexible.
This will open the solution to no Keycloak identity providers that token validation could be whatever if offered by identity provider.
Thanks.
Can we use the JWT tokens with APS service similar to how you have described for other Alfresco products?
I checked the source code of APS and today it does not provides out of the box support for JWK URI/public key and and decoding JWT tokens in its OAUTH2 implementation.
Hello
I have cloned and configured your latest master to work as following
spring:
security:
oauth2:
client:
registration:
github:
provider: github
client-id: LEFT BLANK INTENTIONALLY
client-secret:LEFT BLANK INTENTIONALLY
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/github"
scope: openid,profile,email
and
provider:
github:
user-info-uri: https://api.github.com/user
user-name-attribute: login
I have also enabled DEBUG logging.
I have noticed in debug logging that upon sigining-in the code and state comes from Github which then is followed by access_token being issued
[825503a2-4] HTTP GET "/login/oauth2/code/github?code=0bacae4db7563c603a0b&state=kyS0tMlH8R9lRcC4fP5Ck48x04IlgyuYSNVvTP0EP2c%3D"
2021-06-04 11:28:02.598 DEBUG 41680 --- [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions : [487da5ae] HTTP POST https://github.com/login/oauth/access_token
2021-06-04 11:28:02.801 DEBUG 41680 --- [ctor-http-nio-4] o.s.http.codec.FormHttpMessageWriter : [487da5ae] Writing form fields [grant_type, code, redirect_uri] (content masked)
2021-06-04 11:28:03.005 DEBUG 41680 --- [ctor-http-nio-4] o.s.w.r.f.client.ExchangeFunctions : [487da5ae] Response 200 OK
2021-06-04 11:28:03.028 DEBUG 41680 --- [ctor-http-nio-4] o.s.http.codec.json.Jackson2JsonDecoder : [487da5ae] Decoded [{access_token=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, token_type=bearer, scope=}]
2021-06-04 11:28:03.033 DEBUG 41680 --- [ctor-http-nio-4] o.s.w.r.f.client.ExchangeFunctions : [487da5ae] Cancel signal (to close connection)
Issue is that after getting access token it closes the connection and does not hit JwtBearerAuthorizationHeaderGatewayFilterFactory apply method for create a JWT.
The result of all the above is the login form says "Invalid Credentials", when actually the credentials are correct as access token was issued.
I am unsure / confused if this is to do with configuration or something missing in the code.
Any help will be hugely appreciated.
Thanks.
PS: Thanks for a lovely walkthrough in webinar at Alfresco. I have learnt a good amount from that demo.
Hello Daniel
I have a setup where Alfresco Content Repository is running in Docker and I have enabled following settings in docker compose file to allow for bearer JWT token to be method of authentication
-Dauthentication.chain=identity-service1:identity-service
-Didentity-service.register-node-at-startup=true
-Didentity-service.authentication.enabled=true
-Didentity-service.authentication.enable-username-password-authentication=false
-Didentity-service.bearer-only=true
-Didentity-service.realm-public-key=INTENTIONALLY BLANK
When attempting to reach admin console via above settings using Spring Cloud Gateway to generate token (all is ok).
When attempting to reach admin console via above settings, where token is issued by Authorisation Server (Apereo CAS), I get error saying Authorisation 'Bearer' not supported. I do get that same error when I attempt REST API calls.
I have found it is the issuer (iss) in JWT token payload that is different in my case. If I update iss to http://localhost:8180/auth/realms/alfresco , all is ok.
I cannot locate any setting on repository side that is looking for this validation.
Any insights will be useful.
The version of Afresco Content Repository that I am using is 6.2.0-ga Community edition.
Thanks in advance.
I have used Spring Cloud Gateway (cloned from your Github repo) and configured it to use Google as my Identity Provider. Upon successful redirection and issuing of token, I am redirected to Alfresco Community (6.2 / 7.0 Snapshot) on Docker. When I attempt to go into Admin console, I am getting following error when browsing to admin console.
In 7.0 Snapshot (Within Browser and Via API Explorer)
Authorisation 'Bearer' not supported.
In 6.2
(Within Browser)
Attempted to login into admin console using non-admin credentials
(Within API Explorer)
Authorisation 'Bearer' not supported.
As for configuration
Passed Properties
-Dauthentication.chain=identity-service1:identity-service
-Didentity-service.register-node-at-startup=true
-Didentity-service.authentication.enabled=true
-Didentity-service.authentication.enable-username-password-authentication=false
-Didentity-service.bearer-only=true
-Didentity-service.realm-public-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsR2E4gZpYgv3tw6KDf6Ms89W/1/UKQY5uQTcPGwUMJkbRgW0ovO9nxQiOmxPr/gs0dS9DVnpbPh9SuDuRDEDrFdyvrkU+4SHAJYoh82OjLrBhnEH9pC/OEG/vxHUCv0qBbIeaoNaTittnHW4YcTKxchVCJM4F0L4tsP6B8kKMaOyTVE9Q2tJu5ipiB6Q/xU45B9mlDELr+U6JRsdbAHSATKGWENVbTNcw0DvaprHT2l2fhSqrN81pTuFvV6VH3b0YNqLVdwUiVvZ13/1MTeDyCk0CCf5ejkbP2WaVwOdzDjL79K6dhjzIjggT6Ggzw/VrPwJ6WTwE+IVOkmCdBocCwIDAQAB
As Java Options (in Docker Compose file) for Alfresco Container
Also Attempted to update alfresco-global.properties (empty to begin with) within docker container
authentication.chain=identity-service1:identity-service
identity-service.register-node-at-startup=true
identity-service.authentication.enabled=true
identity-service.authentication.enable-username-password-authentication=false
identity-service.bearer-only=true
identity-service.realm-public-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsR2E4gZpYgv3tw6KDf6Ms89W/1/UKQY5uQTcPGwUMJkbRgW0ovO9nxQiOmxPr/gs0dS9DVnpbPh9SuDuRDEDrFdyvrkU+4SHAJYoh82OjLrBhnEH9pC/OEG/vxHUCv0qBbIeaoNaTittnHW4YcTKxchVCJM4F0L4tsP6B8kKMaOyTVE9Q2tJu5ipiB6Q/xU45B9mlDELr+U6JRsdbAHSATKGWENVbTNcw0DvaprHT2l2fhSqrN81pTuFvV6VH3b0YNqLVdwUiVvZ13/1MTeDyCk0CCf5ejkbP2WaVwOdzDjL79K6dhjzIjggT6Ggzw/VrPwJ6WTwE+IVOkmCdBocCwIDAQAB
Both options were tried but result was same.
Any help from yourself will be greatly appreciated.
Thanks in advance.
Hi,
Tried the configuration given in the ReadMe,but still share is not able to receive the token.
Below are the share logs
Caused by: org.springframework.extensions.surf.exception.UserFactoryException: Unable to create user - failed to retrieve user metadata:
^[[34mshare_1 |^[[0m at org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:185)
ERROR [alfresco.web.site] [http-nio-8080-exec-2] org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository
^[[34mshare_1 |^[[0m org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository
Share config changes
<verify-hostname>true</verify-hostname>
</ssl-config>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<!--<class>com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector</class>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>-->
<class>com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector</class>
<userHeader>X-Alfresco-Remote-User</userHeader>
<jwtHeader>WEB_TOKEN</jwtHeader>
</connector>
Please help us what could be the reason for the error in share.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.