https://connect.hyland.com/t5/alfresco-forum/support-for-jwt-oauth-sso-on-alfresco-community-content/m-p/133348#M35923 <P>Hello</P><P>I am using Alfresco Community Content Repository as document storage for our Angular Application. The application is part of the ecosystem where in order to login into the Angular Application, Apereo CAS server (Authentication / Authorisation Server) provides us a JWT. This JWT is then appended into header as Bearer Token in order to access various microservices that reside behind Netflix Zuul Gateway.</P><P>I have added Alfresco Community Content Repository to the ecosystem and want to configure it such as that the existing token in the header allows access to REST APIs which I will use from Angular Application for document storage.</P><P>Based on the documentation here (<A href="https://docs.alfresco.com/content-services/community/admin/auth-sync/#authentication-subsystems" target="_blank" rel="nofollow noopener noreferrer">https://docs.alfresco.com/content-services/community/admin/auth-sync/#authentication-subsystems</A>) my choices when using Alfresco Community are limited i.e. it does not include identity service or oauth. Even when I choose ACS 7.0 it offers idenity service as choice but not oauth.</P><P>Additionally, APS 1.11 (which I believe is Enterprise item) (<A href="https://docs.alfresco.com/process-services/latest/config/authenticate/" target="_blank" rel="nofollow noopener noreferrer">https://docs.alfresco.com/process-services/latest/config/authenticate/</A>) offers identity-service and oauth as authentication mechanism. However, I do not know how does configuring APS will as OAUTH will allow for access to Alfresco Community Repository from my application.</P><P>Is the above possible or not? Have I got a wrong end of the stick?</P><P>I have also looked at (<A href="https://github.com/dgradecak/alfresco-jwt-auth" target="_blank" rel="nofollow noopener noreferrer">https://github.com/dgradecak/alfresco-jwt-auth</A>) for allowing Alfresco community repository to respect JWT in header and that worked fine. Problem in that identity service properties used for Alfresco Community Repository require a fixed set of minimum claims, where of the claim is 'iss' issuer of the token. The Alfresco Community repository expects token to have iss of the shape http(s)://&lt;servername&gt;:&lt;port&gt;/&lt;context&gt;/realms/&lt;realm-name&gt;. This is very much aligned with Keycloak (where realms are created under master realm). In other (including CAS Apereo) Authorisation Servers, realms are not within iss URL. According to (<A href="https://docs.alfresco.com/identity-service/1.2/tutorial/sso/saml/#step-6-configure-alfresco-content-services-properties" target="_blank" rel="nofollow noopener noreferrer">https://docs.alfresco.com/identity-service/1.2/tutorial/sso/saml/#step-6-configure-alfresco-content-services-properties</A>) Alfresco Community Repository defaults realms following (identity-service.realm=alfresco ), hence it becomes unusable for other identity services. Even if the realm is marked as blank the expected URL for iss is expected as&nbsp;http(s)://&lt;servername&gt;:&lt;port&gt;/&lt;context&gt;/realms/ which is unusable as realms still exists in URL.</P><P>Are there any solutions or work arounds to get around this issue?</P><P>It is shame the identity service properties is so strict and do not offer flexibility.</P><P>I am excited to hear your comments.&nbsp;</P><P>Thanks.</P><P>Regards,</P> Thu, 03 Jun 2021 16:58:24 GMT manurajsingh 2021-06-03T16:58:24Z https://connect.hyland.com/t5/alfresco-forum/support-for-jwt-oauth-sso-on-alfresco-community-content/m-p/133348#M35923 <P>Hello</P><P>I am using Alfresco Community Content Repository as document storage for our Angular Application. The application is part of the ecosystem where in order to login into the Angular Application, Apereo CAS server (Authentication / Authorisation Server) provides us a JWT. This JWT is then appended into header as Bearer Token in order to access various microservices that reside behind Netflix Zuul Gateway.</P><P>I have added Alfresco Community Content Repository to the ecosystem and want to configure it such as that the existing token in the header allows access to REST APIs which I will use from Angular Application for document storage.</P><P>Based on the documentation here (<A href="https://docs.alfresco.com/content-services/community/admin/auth-sync/#authentication-subsystems" target="_blank" rel="nofollow noopener noreferrer">https://docs.alfresco.com/content-services/community/admin/auth-sync/#authentication-subsystems</A>) my choices when using Alfresco Community are limited i.e. it does not include identity service or oauth. Even when I choose ACS 7.0 it offers idenity service as choice but not oauth.</P><P>Additionally, APS 1.11 (which I believe is Enterprise item) (<A href="https://docs.alfresco.com/process-services/latest/config/authenticate/" target="_blank" rel="nofollow noopener noreferrer">https://docs.alfresco.com/process-services/latest/config/authenticate/</A>) offers identity-service and oauth as authentication mechanism. However, I do not know how does configuring APS will as OAUTH will allow for access to Alfresco Community Repository from my application.</P><P>Is the above possible or not? Have I got a wrong end of the stick?</P><P>I have also looked at (<A href="https://github.com/dgradecak/alfresco-jwt-auth" target="_blank" rel="nofollow noopener noreferrer">https://github.com/dgradecak/alfresco-jwt-auth</A>) for allowing Alfresco community repository to respect JWT in header and that worked fine. Problem in that identity service properties used for Alfresco Community Repository require a fixed set of minimum claims, where of the claim is 'iss' issuer of the token. The Alfresco Community repository expects token to have iss of the shape http(s)://&lt;servername&gt;:&lt;port&gt;/&lt;context&gt;/realms/&lt;realm-name&gt;. This is very much aligned with Keycloak (where realms are created under master realm). In other (including CAS Apereo) Authorisation Servers, realms are not within iss URL. According to (<A href="https://docs.alfresco.com/identity-service/1.2/tutorial/sso/saml/#step-6-configure-alfresco-content-services-properties" target="_blank" rel="nofollow noopener noreferrer">https://docs.alfresco.com/identity-service/1.2/tutorial/sso/saml/#step-6-configure-alfresco-content-services-properties</A>) Alfresco Community Repository defaults realms following (identity-service.realm=alfresco ), hence it becomes unusable for other identity services. Even if the realm is marked as blank the expected URL for iss is expected as&nbsp;http(s)://&lt;servername&gt;:&lt;port&gt;/&lt;context&gt;/realms/ which is unusable as realms still exists in URL.</P><P>Are there any solutions or work arounds to get around this issue?</P><P>It is shame the identity service properties is so strict and do not offer flexibility.</P><P>I am excited to hear your comments.&nbsp;</P><P>Thanks.</P><P>Regards,</P> Thu, 03 Jun 2021 16:58:24 GMT https://connect.hyland.com/t5/alfresco-forum/support-for-jwt-oauth-sso-on-alfresco-community-content/m-p/133348#M35923 manurajsingh 2021-06-03T16:58:24Z https://connect.hyland.com/t5/alfresco-forum/support-for-jwt-oauth-sso-on-alfresco-community-content/m-p/133349#M35924 <P>Hi&nbsp;<A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/85963">@manurajsingh</A>&nbsp;</P> <P><A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/37735">@daniel_gradecak</A>&nbsp;recently did an Alfresco Tech Talk Live on&nbsp; <A title="opens in a new tab" href="https://www.alfresco.com/events/webinars/alfresco-tech-talk-live-127" target="_blank" rel="noopener nofollow noreferrer">Alfresco &amp; JWT</A>. It might be worth while watching a recording of this Tech Talk. Daniel is also leading a <A href="https://hub.alfresco.com/t5/hackathon-june-2021-projects/jwt-authentication-subsystem-for-alfresco/idi-p/306906" target="_self" rel="nofollow noopener noreferrer">Hackathon project</A> on this topic - again, it might be worth working with him on this project on June 16th, 2021.</P> <P>HTH,</P> Fri, 04 Jun 2021 09:52:43 GMT https://connect.hyland.com/t5/alfresco-forum/support-for-jwt-oauth-sso-on-alfresco-community-content/m-p/133349#M35924 EddieMay 2021-06-04T09:52:43Z https://connect.hyland.com/t5/alfresco-forum/support-for-jwt-oauth-sso-on-alfresco-community-content/m-p/133350#M35925 <P>Hello&nbsp;<A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/76783">@EddieMay</A>&nbsp;</P><P>Thanks for a quick response.&nbsp;</P><P>Yes, I have been in communication with&nbsp;<A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/37735">@daniel_gradecak</A>&nbsp;and has been very helpful. Also I did go through his Blog as well as Webcast that are both useful</P><P>Issue is that some of the questions that I am asking are not directly relevant to his project and are relevant to Alfresco Community Respository directly and he has indicated to discuss those here on Alfresco Hub.</P><P>It would be useful if I can get some solutions or workarounds.</P><P>I will in the meantime also talk to&nbsp;<A href="https://migration33.stage.lithium.com/t5/user/viewprofilepage/user-id/37735">@daniel_gradecak</A>&nbsp;as <A href="https://hub.alfresco.com/t5/hackathon-june-2021-projects/jwt-authentication-subsystem-for-alfresco/idi-p/306906" target="_blank" rel="nofollow noopener noreferrer">https://hub.alfresco.com/t5/hackathon-june-2021-projects/jwt-authentication-subsystem-for-alfresco/idi-p/306906</A> are the changes that are essential for our project.</P><P>Regards,</P> Fri, 04 Jun 2021 11:53:58 GMT https://connect.hyland.com/t5/alfresco-forum/support-for-jwt-oauth-sso-on-alfresco-community-content/m-p/133350#M35925 manurajsingh 2021-06-04T11:53:58Z