cancel
Showing results for 
Search instead for 
Did you mean: 

Support for JWT / OAuth SSO on Alfresco Community Content Repository

manurajsingh
Champ on-the-rise
Champ on-the-rise

Hello

I am using Alfresco Community Content Repository as document storage for our Angular Application. The application is part of the ecosystem where in order to login into the Angular Application, Apereo CAS server (Authentication / Authorisation Server) provides us a JWT. This JWT is then appended into header as Bearer Token in order to access various microservices that reside behind Netflix Zuul Gateway.

I have added Alfresco Community Content Repository to the ecosystem and want to configure it such as that the existing token in the header allows access to REST APIs which I will use from Angular Application for document storage.

Based on the documentation here (https://docs.alfresco.com/content-services/community/admin/auth-sync/#authentication-subsystems) my choices when using Alfresco Community are limited i.e. it does not include identity service or oauth. Even when I choose ACS 7.0 it offers idenity service as choice but not oauth.

Additionally, APS 1.11 (which I believe is Enterprise item) (https://docs.alfresco.com/process-services/latest/config/authenticate/) offers identity-service and oauth as authentication mechanism. However, I do not know how does configuring APS will as OAUTH will allow for access to Alfresco Community Repository from my application.

Is the above possible or not? Have I got a wrong end of the stick?

I have also looked at (https://github.com/dgradecak/alfresco-jwt-auth) for allowing Alfresco community repository to respect JWT in header and that worked fine. Problem in that identity service properties used for Alfresco Community Repository require a fixed set of minimum claims, where of the claim is 'iss' issuer of the token. The Alfresco Community repository expects token to have iss of the shape http(s)://<servername>:<port>/<context>/realms/<realm-name>. This is very much aligned with Keycloak (where realms are created under master realm). In other (including CAS Apereo) Authorisation Servers, realms are not within iss URL. According to (https://docs.alfresco.com/identity-service/1.2/tutorial/sso/saml/#step-6-configure-alfresco-content-...) Alfresco Community Repository defaults realms following (identity-service.realm=alfresco ), hence it becomes unusable for other identity services. Even if the realm is marked as blank the expected URL for iss is expected as http(s)://<servername>:<port>/<context>/realms/ which is unusable as realms still exists in URL.

Are there any solutions or work arounds to get around this issue?

It is shame the identity service properties is so strict and do not offer flexibility.

I am excited to hear your comments. 

Thanks.

Regards,

2 REPLIES 2

EddieMay
World-Class Innovator
World-Class Innovator

Hi @manurajsingh 

@daniel_gradecak recently did an Alfresco Tech Talk Live on  Alfresco & JWT. It might be worth while watching a recording of this Tech Talk. Daniel is also leading a Hackathon project on this topic - again, it might be worth working with him on this project on June 16th, 2021.

HTH,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!

Hello @EddieMay 

Thanks for a quick response. 

Yes, I have been in communication with @daniel_gradecak and has been very helpful. Also I did go through his Blog as well as Webcast that are both useful

Issue is that some of the questions that I am asking are not directly relevant to his project and are relevant to Alfresco Community Respository directly and he has indicated to discuss those here on Alfresco Hub.

It would be useful if I can get some solutions or workarounds.

I will in the meantime also talk to @daniel_gradecak as https://hub.alfresco.com/t5/hackathon-june-2021-projects/jwt-authentication-subsystem-for-alfresco/i... are the changes that are essential for our project.

Regards,