TTL #133 - Alfresco and Keycloak: Beyond Basic Authentication - Follow up questions

Showing results for 
Search instead for 
Did you mean: 

TTL #133 - Alfresco and Keycloak: Beyond Basic Authentication - Follow up questions

Alfresco Employee
0 0 4,126

October 2021 Tech Talk Live was led by @afaust. There were many questions and we only had time to answer a few during the session. Axel is providing answer for every question in this blog post.

Session recording is available on demand in

Have you ever tried to use the Alfresco Desktop Sync Client with AIS, and could you share an ideal setup of the Alfresco Keycloak client? We are having issues with refresh-tokens, always getting REFRESH_TOKEN_ERRORs

Unfortunately, none of the Alfresco Enterprise customers or partners with which I work are using the Alfresco Desktop Sync Client, so I have not had any exposure to it yet, let alone in combination with AIS / Keycloak. Since I myself am not an Alfresco partner, I cannot "play around" with and evaluate Enterprise-only components with regards to compatibility / issues, and ideal setups.

Can Alfresco be integrated with an existing Keycloak realm so a customer can use Alfresco SSO capabilities with other applications?

Absolutely. There is nothing special to the definition of one or more clients for the various Alfresco applications. Unfortunately Alfresco does not provide an easy to use "client-only" import file for inclusion into an existing realm, and since the reference setup for my "optimal" setup (using identity delegation) involves configuration outside of the Alfresco client definition, I'll likely not provide a simple import either. But one thing I aim to provide is a base set of step-by-step guides via the UI, similar to the current documentation.

Does Keycloak provide some auditing/logging feature that would be easier to implement than Alfresco auditing?

Keycloak is not meant to be used for the same kind of logging/auditing that Alfresco does via its auditing feature. But Keycloak includes event logging capabilities for various authentication / authorisation / admin events which can be easily enabled and configured (as to which events are logged) in a running Keycloak server.

Do you have the opportunity to test with APS?

I only have one Enterprise customer using APS ~1.9 without AIS / Keycloak. As a non-partner, I don't have easy access to APS for testing purposes, and given that APS 1.x is potentially becoming obsolete whenever Alfresco ships APS 2.x or whatever the replacement will be, I would not invest too much effort in it given the uncertainty. But developing / testing an integration would certainly be key for the next iteration of whatever succeeds APS 1.x, and I would be extremely open to collaborate with anyone in making this possible.

What is the benefit of implementing KC integration inside Alfresco vs. having a reverse proxy as a security gateway passing REMOTE_USER header?

When it comes to "only" authenticating users, the benefit may be limited. Though I'd argue that setting up a proper security gateway passing REMOTE_USER might be just as much effort / complexity as setting up an integration with Keycloak, with the latter providing more easy to use optional features than a simple authenticating gateway (i.e. user/group synch, identity delegation to other services, transparent use of roles for access checks). Of course those features could be added / implemented via a gateway as well, but then you'd have to implement custom mapping in ACS handling whatever HTTP header is sent over the wire, which is not trivial due to the internal complexity of authentication subsystems in ACS.

Did you have to implement code in Share to refresh the token, so the session doesn't expire?

Yes, but not just on the Share side. Both Share and ACS will check the access token in the current HTTP session for validity on every request, and when a refresh is due, use the refresh token (if known) to obtain a new token. The one case in which a refresh token may not be known is when a client pro-actively provides a Bearer token (e.g. ADF-based clients) and that access token is linked to the Alfresco ticket without any refresh token - in that case, the access token will not be used anymore when it expires, disabling e.g. the transparent role mapping feature, but the ticket can still be used. There is even a setting in the ACS subsystem which can be used to toggle wether expired tokens associated with a ticket should fail hard instead of just being ignored (see

Are Keycloak actions similar to Alfresco actions, where you can introduce custom code to perform custom tasks?

No, Keycloak actions are pre-defined callouts from Keycloak to a Keycloak-enabled application via the configured "admin URL" to solely perform operations related to Keycloak authentication / integration, like session / token invalidation, forced logout, public key updates.

Does KeyCloal support 2 FA?

Yes, Keycloak itself supports 2FA, and when you use Keycloak to delegate authentication to a user directory like Azure Active Directory, you can of course rely on the 2FA mechanisms those Identity Providers provide.

If we have an user who is already authenticated with a different application that is SSO'd with ADFS as IDP using Oath Claim... can we pass this token to Alfresco so that Keycloak can be configured as a broaker to ADFS so that users can access ACS & APS without reauthencation. Can you provide the blog post link?

In short: yes. If a user is already authenticated with another application that uses Keycloak for federation to ADFS as an IdP, then the user can simply be redirected to Alfresco without any special handling, and when Alfresco performs its login form redirect to Keycloak, Keycloak will use the already authenticated session to provide an access token to Alfresco without the user having to reauthenticate. When the other application authenticated the user against ADFS directly using a login form redirect, then you could also redirect to Alfresco PROVIDED the Keycloak instance integrated with Alfresco has configured ADFS as the primary Identity Provider and redirects the user to the ADFS login automatically - in that case, ADFS will use the authenticated session to issue a token to Keycloak, which in turn will issue a token to Alfresco. In both scenarios, there is no need to actually forward a token to Alfresco.

Is there any user interface to check integration is properly happened + any end user level interface to check?

In short: there is no single user interface that shows you "everything works" or "feature XY does not work" - such a UI does not exist for any of the other Alfresco authentication subsystems, so there was nothing really into which I could hook. The easiest way to check the integration is properly working is to log in to the Keycloak account console and use the link in the "Applications" view to be redirected to i.e. Alfresco Share to see if you land at the user dashboard without having to authenticate. Features like user/group synchronisation and role integration are checked either via the logs or by simply using the appropriate feature.

Does Keycloak provide SCIM protocol support for identity synchronization?

Support for SCIM 2.0 API is unfortunately still on the backlog ( without a specific target version.

How are keycloak roles/groups mapped alfresco roles/groups? You mention that, if keycloak groups are mapped they are not persistent unless syncronization is enabled

When a user is authenticated via a Keycloak access token, a so called "authority extracter" API is called which can extract + map anything from the token as Alfresco roles / groups. The default extracter only handles Keycloak roles, not groups. The extracted / mapped authorities are added as details to the Alfresco (actually acegi / Spring Security) authentication holder in the current request / thread. When the request is over, that state is discarded along with the general authentication information. What I mentioned with regards to "persistent groups" is that whenever a Keycloak role is mapped to an Alfresco authority that is a group (i.e. GROUP_XYZ), the user will be treated by ACL checks as if belonging to the group, but will not be physically a member of the group (i.e. when checked via AuthorityService#getContainedAuthorities/getContainingAuthorities) - for that part one would need to rely on synchronizing the members of that group.

Do you have any stress test results for users/groups syncronization from keycloak to alfresco?

I currently do not have stress test results with a meaningful number of users / groups. The synchronisation code already uses pagination / batching wherever possible, but due to the lack of query capabilities on the Keycloak API (only provides a simple text query and no "modified since" option), a synchronisation always has to process all users / groups in Keycloak.


Thanks everyone for attending the session. Feel free to start a conversation in this post comments for any uncovered question.

And special thanks to @afaust for that great presentation!

About the Author
Angel Borroy is Hyland Developer Evangelist. Over the last 15 years, he has been working as a software architect on Java, BPM, document management and electronic signatures. He has been working with Alfresco during the last years to customize several implementations in large organizations and to provide add-ons to the Community based on Record Management and Electronic Signature. He writes (sometimes) on his personal blog He is (proud) member of the Order of the Bee.