JWT authentication subsystem (for Alfresco)

cancel
Showing results for 
Search instead for 
Did you mean: 

JWT authentication subsystem (for Alfresco)

JWT authentication subsystem (for Alfresco)

0 Kudos

A simple JWT auth mechanism for Alfresco is missing, since Alfresco uses keycloak's opinionated implementation and relies on keycloak's upgrades or changes. This JWT auth subsystem would provide a simple mechanism to simply validate a JWT based on the public key configured.

The main goal of this auth subsystem is to be able to validate any JWT generated by third party servers.

Project Sponsor: Pleo Soft

Project Owner: @daniel_gradecak 

Contact: daniel@pleosoft.com

Project Url: https://github.com/dgradecak/alfresco-jwt-auth

8 Comments
manurajsingh
Active Member

Hello

Sounds like a very good plan.

Ideally, one should be able to setup properties on Content Repository that would switch it to operate in OAUTH/OIDC mode where the incoming JWTs in Authorization Header can be mechanims for accessing REST APIs. The mechanism should allow for setting of JWKS URI such that JWT can be validated.

Contextually, I am thinking of a CURL request or REST API call from say Angular Client Application, where JWT is in the Authorization Header and Gateway (proxy on steriods) will allow request to go through to Alfresco Community Repository to access offered APIs.

Thanks.

manurajsingh
Active Member

@daniel_gradecak , please do let me know if you want to discuss this further and or require additional set of hands and eyes Smiley Happy

daniel_gradecak
Active Member

My plan is that we implement a new authentication subsystem that works only with a JWT, part of that job is already done but with only using Alfresco existing classes, which in the future might cause some issues again, like there is a difference from Alf 6.2 and 7 and the current identity service auth subsystem cannot work out of the box.

Join my during the hackaton and we can find sometime to discuss about different requirements and see if it could work for all required.

daniel_gradecak
Active Member

The Alfresco JWT authentication subsystem can be found here https://github.com/dgradecak/alfresco-jwt-auth/tree/master/alfresco-jwt-auth-subsystem

manurajsingh
Active Member

Hello Daniel

It is a good plan.

 

Having looked at the properties in alfresco-jwtproperties, I can see that there is dependency of realm i.e. making the issuer url in token follow structure as designed by keycloak i.e. iss value on token has to follow pattern with realm context in URL i.e. http://localhost:8180/auth/realm/alfresco

This is not necessarily true for non-keycloak systems i.e. url could be for example http://localhost:8180/cas/oidc ... Here oidc is realm and for cas (central authenticaton system)... Note that here the realm context is not there in URL.

It would be excellent to keep it flexible so that dependency of keycloak like URL is optional.

Thanks.

manurajsingh
Active Member

Hello Daniel

Anther property that I have observed is 

alfresco-jwt.realm-public-key=

It would be good to have another property or make this property flexible to use public key or uri for getting public key from jwks often published by authentication subsystems.

For example public key can be fetched from http://localhost:8180/cas/oidc/jwks

Thanks.

daniel_gradecak
Active Member
@manurajsingh indeed, all that can be done but it would require a bit more effort. The end goal of this module is to be refactored and to support a jwks endpoint but the artifact would need to produce an amp instead of a simple jar contianing only config files.
 

If you have time feel free to make a pull request and I will accept it. I suggest to move this discussion to github https://github.com/dgradecak/alfresco-jwt-auth and you could create a feature request

manurajsingh
Active Member

@daniel_gradecak Thanks for a response.

I will continue this discussion on your github page.

Idea Statuses