topic Re: External Auth REST Api visibility in Alfresco Forum

External Auth REST Api visibility

iwine — Tue, 04 Aug 2020 16:16:30 GMT

Hi everyone.

I'm trying to invoke Alfresco Core REST API with external authentication option enabled. Everything works, but I have found there is one thing I do not understand.

As indicated in the documentation, in the file alfresco-global.properties , the property

external.authentication.defaultAdministratorUserNames = admin

is a separated list of user names who should be considered administrators by default.

I expected that the services could be called with external authentication only if the credentials of one of the administrators were present in the Basic Auth of the request.

Instead it works in all cases.

For example, I can access the administrator's data by passing the credentials of any user in the Basic Auth and in the header X-Alfresco-Remote-User=admin.

So what is the meaning of that property? And isn't there a way to avoid this behavior?

One last thing.

If a username not present in the system is passed in the header, I noticed that it is automatically created even if I don't understand with what password. Can't we avoid this?

I forgot, I'm using Alfresco Community Edition 6.2.

Thanks for any help!

Re: External Auth REST Api visibility

jpotts — Tue, 11 Aug 2020 16:27:58 GMT

You have enabled external authentication, which means Alfresco is no longer responsible for authentication--that has been delegated to some other system.

Whatever is in X-Alfresco-Remote-User is the user that Alfresco is going to assume has already been authenticated by your external system.

In this configuration you need to make sure that all traffic to Alfresco goes through a proxy which is protected by whatever external auth system you've enabled.

Hope that makes sense and that I'm understanding your issue correctly.

Re: External Auth REST Api visibility

ranjeetsi — Mon, 04 Jan 2021 23:17:58 GMT

Hi @jpotts ,

Thanks for the detail!

Have some questions:a) Can you please suggest what are the ways to protect the proxy by external auth system(ADFS).

b) If there is another mulesoft layer between custom UI and Alfresco server(with or without proxy) then how can the external authentication work via mulesoft(sample screenshot 1 attached)

The UI will make REST calls to mulesoft which has the api wrappers over alfresco REST apis. Also UI server can authenticate with mulesoft only via Oauth2 ,