I am using Alfresco Community Content Repository as document storage for our Angular Application. The application is part of the ecosystem where in order to login into the Angular Application, Apereo CAS server (Authentication / Authorisation Server) provides us a JWT. This JWT is then appended into header as Bearer Token in order to access various microservices that reside behind Netflix Zuul Gateway.
I have added Alfresco Community Content Repository to the ecosystem and want to configure it such as that the existing token in the header allows access to REST APIs which I will use from Angular Application for document storage.
Based on the documentation here (https://docs.alfresco.com/content-services/community/admin/auth-sync/#authentication-subsystems) my choices when using Alfresco Community are limited i.e. it does not include identity service or oauth. Even when I choose ACS 7.0 it offers idenity service as choice but not oauth.
Additionally, APS 1.11 (which I believe is Enterprise item) (https://docs.alfresco.com/process-services/latest/config/authenticate/) offers identity-service and oauth as authentication mechanism. However, I do not know how does configuring APS will as OAUTH will allow for access to Alfresco Community Repository from my application.
Is the above possible or not? Have I got a wrong end of the stick?
I have also looked at (https://github.com/dgradecak/alfresco-jwt-auth) for allowing Alfresco community repository to respect JWT in header and that worked fine. Problem in that identity service properties used for Alfresco Community Repository require a fixed set of minimum claims, where of the claim is 'iss' issuer of the token. The Alfresco Community repository expects token to have iss of the shape http(s)://<servername>:<port>/<context>/realms/<realm-name>. This is very much aligned with Keycloak (where realms are created under master realm). In other (including CAS Apereo) Authorisation Servers, realms are not within iss URL. According to (https://docs.alfresco.com/identity-service/1.2/tutorial/sso/saml/#step-6-configure-alfresco-content-...) Alfresco Community Repository defaults realms following (identity-service.realm=alfresco ), hence it becomes unusable for other identity services. Even if the realm is marked as blank the expected URL for iss is expected as http(s)://<servername>:<port>/<context>/realms/ which is unusable as realms still exists in URL.
Are there any solutions or work arounds to get around this issue?
It is shame the identity service properties is so strict and do not offer flexibility.
I am excited to hear your comments.