A simple JWT auth mechanism for Alfresco is missing, since Alfresco uses keycloak's opinionated implementation and relies on keycloak's upgrades or changes. This JWT auth subsystem would provide a simple mechanism to simply validate a JWT based on the public key configured.
The main goal of this auth subsystem is to be able to validate any JWT generated by third party servers.
Project Sponsor: Pleo Soft
Project Owner: @daniel_gradecak
Project Url: https://github.com/dgradecak/alfresco-jwt-auth
Sounds like a very good plan.
Ideally, one should be able to setup properties on Content Repository that would switch it to operate in OAUTH/OIDC mode where the incoming JWTs in Authorization Header can be mechanims for accessing REST APIs. The mechanism should allow for setting of JWKS URI such that JWT can be validated.
Contextually, I am thinking of a CURL request or REST API call from say Angular Client Application, where JWT is in the Authorization Header and Gateway (proxy on steriods) will allow request to go through to Alfresco Community Repository to access offered APIs.
@daniel_gradecak , please do let me know if you want to discuss this further and or require additional set of hands and eyes
My plan is that we implement a new authentication subsystem that works only with a JWT, part of that job is already done but with only using Alfresco existing classes, which in the future might cause some issues again, like there is a difference from Alf 6.2 and 7 and the current identity service auth subsystem cannot work out of the box.
Join my during the hackaton and we can find sometime to discuss about different requirements and see if it could work for all required.
The Alfresco JWT authentication subsystem can be found here https://github.com/dgradecak/alfresco-jwt-auth/tree/master/alfresco-jwt-auth-subsystem
It is a good plan.
Having looked at the properties in alfresco-jwtproperties, I can see that there is dependency of realm i.e. making the issuer url in token follow structure as designed by keycloak i.e. iss value on token has to follow pattern with realm context in URL i.e. http://localhost:8180/auth/realm/alfresco
This is not necessarily true for non-keycloak systems i.e. url could be for example http://localhost:8180/cas/oidc ... Here oidc is realm and for cas (central authenticaton system)... Note that here the realm context is not there in URL.
It would be excellent to keep it flexible so that dependency of keycloak like URL is optional.
Anther property that I have observed is
It would be good to have another property or make this property flexible to use public key or uri for getting public key from jwks often published by authentication subsystems.
For example public key can be fetched from http://localhost:8180/cas/oidc/jwks
If you have time feel free to make a pull request and I will accept it. I suggest to move this discussion to github https://github.com/dgradecak/alfresco-jwt-auth and you could create a feature request
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.