topic Re: Alfresco Authorization Server in Alfresco Forum

Alfresco Authorization Server

binduwavell — Fri, 31 Mar 2017 04:08:54 GMT

I noticed this bullet point for the upcoming release of alfresco-js-api 1.3.0:Add support Alfresco Authorization server js-apiThis is then backed up by this commit:Release 1.3.0 by eromano · Pull Request #208 · Alfresco/alfresco-js-api · GitHub From these, I discovered this documentationAuth 2 SS

Re: Alfresco Authorization Server

idwright — Thu, 06 Apr 2017 09:01:18 GMT

I would certainly welcome some work in this area for content services

My observations are that non standard auth is pretty fragile, and probably not well understood, at the moment as it seems to break with most new releases.

I made some comments in this JIRA [ALF-21848] Improve support for third party SSO via web-fragment.xml - Alfresco JIRA but this is only tweaking the current implementation.

AFAIK the current SAML work is for Enterprise only, I haven't heard about any OAuth work but that would be interesting as I think I might be able to set CAS up as an OAuth provider and could retire my CAS work which would be nice!

There seems to be an expectation that basic-auth will be used e.g. by mobile clients, ADF, CMIS and if SSO is introduced to the platform end points then that will be broken (rumour has it the internal instance can't be accessed via mobile)

(I have a nasty hack in my CAS amps to get around this)

I don't think that SSO has been properly considered in the context of ADF - I expect to be able to make it work but haven't had the time yet - from what I understand it's relying heavily on using a ticket after basic-auth, which isn't great.

Interesting comment

The server needs to be used in conjunction with the LDAP sync for users from the Alfresco Content Services LDAP directory.

I can't see why this would be the case

Re: Alfresco Authorization Server

binduwavell — Tue, 09 May 2017 13:26:32 GMT

Mario Romano Kristen Gastaldo Francesco Corti Any chance this thread could get some insight from Alfresco folks or a pointer to somewhere else where these items are covered?

Re: Alfresco Authorization Server

kgastaldo — Tue, 09 May 2017 13:46:48 GMT

I think this one snuck by, as discussions don't seem to get the coverage questions do. I'll send this to a few employees for some insight.

Re: Alfresco Authorization Server

idwright — Tue, 09 May 2017 14:06:37 GMT

I spoke, briefly, to Brian Remington about SSO at BeeCon and apparently SSO is somewhere near the top of his list.

However I got the impression that it's more to do with SSO between content services and process services than external SSO providers. (external SSO is a very strong requirement for me)

OpenID connect did come up as part of the discussion so it's possible external authentication providers will also be included.

We did, again very briefly, talk about the problems with external authorization (what you can do/group membership) as well as authentication (who you are) - for the record I'm happy with authentication and using the LDAP sync for the overlapping authorization (despite some problems with it e.g. [ACE-5679] Indirect groups no longer work as site manager - Alfresco JIRA )

Re: Alfresco Authorization Server

pkhazzaka — Thu, 27 Jul 2017 09:46:07 GMT

Do you have some additional information on the topic?

We would like to use oauth2 with Content Services in Community Edition.

Re: Alfresco Authorization Server

resplin — Thu, 28 Sep 2017 21:15:52 GMT

Sorry, I was asked a few times to respond but didn't get it done.

This discussion brings together a few separate engineering projects:

A short-term effort to make OAuth work with APS to meet an immediate customer requirement. This was recently delivered, and encompasses most of Bindu's questions. ‌ would have to answer the specific questions.
An immediate effort to provide an API and SSO gateway so that users of the ADF can access the various components of the Alfresco Digital Business Platform without having to change endpoints and re-authenticate. This project recently kicked off, but we don't yet have any details to share.
A long term project to build a platform wide authentication and identity service, which would work with both the content repository and the process engine. We are currently scoping this effort and evaluating underlying technologies that could speed our implementation. Our challenge is that there are a lot of related standards in the industry, and our customers have already adopted many of them. We are not yet sure how many we can support. The current list is: LDAP synchronization, SAML, OAuth, OpenID Connect, Kerberos, NTLMv2, JSON Web Token, and continuing to allow External Auth providers.

I mention these on the ‌ to explain the direction we are headed, but I'm not yet in a position to provide details as we are still experimenting in order to find the best approach.