Hyland Community
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

JWT authentication subsystem (for Alfresco)

EddieMay
World-Class Innovator
World-Class Innovator

‎05-26-2021 04:57 AM

A simple JWT auth mechanism for Alfresco is missing, since Alfresco uses keycloak's opinionated implementation and relies on keycloak's upgrades or changes. This JWT auth subsystem would provide a simple mechanism to simply validate a JWT based on the public key configured.

The main goal of this auth subsystem is to be able to validate any JWT generated by third party servers.

Project Sponsor: Pleo Soft

Project Owner: @daniel_gradecak 

Contact: daniel@pleosoft.com

Project Url: https://github.com/dgradecak/alfresco-jwt-auth

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!
0 Kudos
8 REPLIES 8

manurajsingh
Champ on-the-rise
Champ on-the-rise

‎06-04-2021 08:00 AM

Hello

Sounds like a very good plan.

Ideally, one should be able to setup properties on Content Repository that would switch it to operate in OAUTH/OIDC mode where the incoming JWTs in Authorization Header can be mechanims for accessing REST APIs. The mechanism should allow for setting of JWKS URI such that JWT can be validated.

Contextually, I am thinking of a CURL request or REST API call from say Angular Client Application, where JWT is in the Authorization Header and Gateway (proxy on steriods) will allow request to go through to Alfresco Community Repository to access offered APIs.

Thanks.

0 Kudos

manurajsingh
Champ on-the-rise
Champ on-the-rise

‎06-04-2021 08:18 AM

@daniel_gradecak , please do let me know if you want to discuss this further and or require additional set of hands and eyes Smiley Happy

0 Kudos

daniel_gradecak
Confirmed Champ
Confirmed Champ

‎06-05-2021 07:33 AM

My plan is that we implement a new authentication subsystem that works only with a JWT, part of that job is already done but with only using Alfresco existing classes, which in the future might cause some issues again, like there is a difference from Alf 6.2 and 7 and the current identity service auth subsystem cannot work out of the box.

Join my during the hackaton and we can find sometime to discuss about different requirements and see if it could work for all required.

0 Kudos

daniel_gradecak
Confirmed Champ
Confirmed Champ

‎06-16-2021 03:39 PM

The Alfresco JWT authentication subsystem can be found here https://github.com/dgradecak/alfresco-jwt-auth/tree/master/alfresco-jwt-auth-subsystem

0 Kudos

manurajsingh
Champ on-the-rise
Champ on-the-rise

‎06-21-2021 07:58 AM

Hello Daniel

It is a good plan.

Having looked at the properties in alfresco-jwtproperties, I can see that there is dependency of realm i.e. making the issuer url in token follow structure as designed by keycloak i.e. iss value on token has to follow pattern with realm context in URL i.e. http://localhost:8180/auth/realm/alfresco

This is not necessarily true for non-keycloak systems i.e. url could be for example http://localhost:8180/cas/oidc ... Here oidc is realm and for cas (central authenticaton system)... Note that here the realm context is not there in URL.

It would be excellent to keep it flexible so that dependency of keycloak like URL is optional.

Thanks.

0 Kudos

manurajsingh
Champ on-the-rise
Champ on-the-rise

‎06-21-2021 08:02 AM

Hello Daniel

Anther property that I have observed is 

alfresco-jwt.realm-public-key=

It would be good to have another property or make this property flexible to use public key or uri for getting public key from jwks often published by authentication subsystems.

For example public key can be fetched from http://localhost:8180/cas/oidc/jwks

Thanks.

0 Kudos

daniel_gradecak
Confirmed Champ
Confirmed Champ

‎06-22-2021 02:17 PM

@manurajsingh indeed, all that can be done but it would require a bit more effort. The end goal of this module is to be refactored and to support a jwks endpoint but the artifact would need to produce an amp instead of a simple jar contianing only config files.
 

If you have time feel free to make a pull request and I will accept it. I suggest to move this discussion to github https://github.com/dgradecak/alfresco-jwt-auth and you could create a feature request

0 Kudos

manurajsingh
Champ on-the-rise
Champ on-the-rise

‎06-23-2021 01:01 PM

@daniel_gradecak Thanks for a response.

I will continue this discussion on your github page.

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC
Top