Simple JWT instead of Alfresco Identity Service
Based on my last post I was working on a simple integration between a custom JWT and Alfresco. Alfresco offers an SSO solution called Identity Services that is based on Keycloack and is implemented as an authentication subsystem on the repository side.
The goal here is to sign our own JWT and send it to our Alfresco repository (+Share, +ADF apps) via standard http headers. However, I am not keen implementing any custom module on the repository side but just reuse everything Alfresco provides via the “identity-service” authentication subsystem.
We still need a service that will create the JWT and my spring cloud gateway project is a good candidate, since it already does that with a custom JKS.
All we have to do is configure Alfresco to use its identity services authentication subsystem with our custom private key from. Mainly JWT is signed by a public key and verified by the private keypair, which will be defined in alfresco-global.properties:
Alfresco is thus configured to validate our JWT locally and not to ask IDS for the key validity.
Once the repository side has been setup, we can setup Share. Unfortunately, Share has no native support for JWT or for IDS and there is no way to do this without some customization, but Share supports external authentication and that mechanism could be reused in order to integrate our JWT in a header that Share will send to the repository side. With the external-auth setup, usually Share sends a header with the username that alfresco validates. The user has to exist in Alfresco, either created manually or synchronized from an external system like LDAP.
Our Share configuration is straight forward and if ever you configured external auth you will easily recognize it:
<connector> <id>alfrescoHeader</id> <name>Alfresco Connector</name> <description>Connects to an Alfresco instance using header and cookie-based authentication</description> <class>com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector</class> <userHeader>X-Alfresco-Remote-User</userHeader> <jwtHeader>WEB_TOKEN</jwtHeader> </connector>
Now all this has been setup and if you used the sample JKS provided, you are good to login via the cloud gateway. Please be aware, that if you use OAuth2, you have to provide your application details and to configure it correctly with the provider of your choice. Also, it is mandatory that the username exists in Alfresco. All this can work with enterprise and with community.
If you try to login via the gateway you should receive the out of the box spring security login screen, with the configured OAuth2 services.
Regarding ADF applications, the way I do this kind of integration is to reuse the “kerberos configuration” where ADF simply proxies all the headers received and does not ask for login credentials (remember the external-auth, it just works).
With all this, it is quite easy to be a bit creative and find new ways to use the Alfresco platform. I also submitted a talk for the Devcon 2020, so finger crossed!
Alfresco 6.2 needs another property setting in order to avoid a NPE that was fixed in Keycloak https://github.com/keycloak/keycloak/commit/9b2e7f6e2c96bc43fef820c141d27bf4dc09b84b