alfresco

Simple JWT instead of Alfresco Identity Service

Based on my last post I was working on a simple integration between a custom JWT and Alfresco. Alfresco offers an SSO solution called Identity Services that is based on Keycloack and is implemented as an authentication subsystem on the repository side.

The goal here is to sign our own JWT and send it to our Alfresco repository (+Share, +ADF apps) via standard http headers. However, I am not keen implementing any custom module on the repository side but just reuse everything Alfresco provides via the “identity-service” authentication subsystem.

We still need a service that will create the JWT and my spring cloud gateway project is a good candidate, since it already does that with a custom JKS.

Gateway architecture

All we have to do is configure Alfresco to use its identity services authentication subsystem with our custom private key from. Mainly JWT is signed by a public key and verified by the private keypair, which will be defined in alfresco-global.properties:

  • identity-service.authentication.enabled=true
  • identity-service.authentication.enable-username-password-authentication=false
  • identity-service.bearer-only=true
  • identity-service.realm-public-key=YOUR_PUBLIC_KEY

Alfresco is thus configured to validate our JWT locally and not to ask IDS for the key validity.

Once the repository side has been setup, we can setup Share. Unfortunately, Share has no native support for JWT or for IDS and there is no way to do this without some customization, but Share supports external authentication and that mechanism could be reused in order to integrate our JWT in a header that Share will send to the repository side. With the external-auth setup, usually Share sends a header with the username that alfresco validates. The user has to exist in Alfresco, either created manually or synchronized from an external system like LDAP.

Our Share configuration is straight forward and if ever you configured external auth you will easily recognize it:

<connector>
        <id>alfrescoHeader</id>
        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
        <class>com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector</class>
        <userHeader>X-Alfresco-Remote-User</userHeader>
        <jwtHeader>WEB_TOKEN</jwtHeader>
     </connector>

This customization is provided in the above mentioned project and a howto is available here.

Now all this has been setup and if you used the sample JKS provided, you are good to login via the cloud gateway. Please be aware, that if you use OAuth2, you have to provide your application details and to configure it correctly with the provider of your choice. Also, it is mandatory that the username exists in Alfresco. All this can work with enterprise and with community.

If you try to login via the gateway you should receive the out of the box spring security login screen, with the configured OAuth2 services.

Regarding ADF applications, the way I do this kind of integration is to reuse the “kerberos configuration” where ADF simply proxies all the headers received and does not ask for login credentials (remember the external-auth, it just works).

With all this, it is quite easy to be a bit creative and find new ways to use the Alfresco platform. I also submitted a talk for the Devcon 2020, so finger crossed!

UPDATE:

Alfresco 6.2 needs another property setting in order to avoid a NPE that was fixed in Keycloak https://github.com/keycloak/keycloak/commit/9b2e7f6e2c96bc43fef820c141d27bf4dc09b84b

identity-service.register-node-at-startup=true

Author : Daniel Gradecak

I am an Alfresco ECM consultant & Java developer from Belgium, currently living in Zagreb, Croatia. For the past 17 years, I've been developing Java and web applications. The last 15 years I have been primarily working with the Alfresco platform, along-side companies and organizations (all over Europe) to architect, develop and complete new applications. As an effective communicator I can normally create a solution that hurdles many obstacles to achieve a mutually accepted notion of success in terms of project delivery. I have specialized in tailor made application development using Javascript and Java/Alfresco. Each solution is highly accepted by the end users and that gives me a great confidence in my work.

1 thought on “Simple JWT instead of Alfresco Identity Service

    • Author gravatar

      The snipplet on this page contains wrong package name, this one does not exist in your git repo:
      com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector

      This is the right one:
      com.gradecak.alfresco.jwt.authorization.JwtAuthorizationAlfrescoConnector

Leave a Reply

Your email address will not be published. Required fields are marked *