Welcome

Simple JWT instead of Alfresco Identity Service

Based on my last post I was working on a simple integration between a custom JWT and Alfresco. Alfresco offers an SSO solution called Identity Services that is based on Keycloack and is implemented as an authentication subsystem on the repository side.

The goal here is to sign our own JWT and send it to our Alfresco repository (+Share, +ADF apps) via standard http headers. However, I am not keen implementing any custom module on the repository side but just reuse everything Alfresco provides via the “identity-service” authentication subsystem.

We still need a service that will create the JWT and my spring cloud gateway project is a good candidate, since it already does that with a custom JKS.

Gateway architecture

All we have to do is configure Alfresco to use its identity services authentication subsystem with our custom private key from. Mainly JWT is signed by a public key and verified by the private keypair, which will be defined in alfresco-global.properties:

  • identity-service.authentication.enabled=true
  • identity-service.authentication.enable-username-password-authentication=false
  • identity-service.bearer-only=true
  • identity-service.realm-public-key=YOUR_PUBLIC_KEY

Alfresco is thus configured to validate our JWT locally and not to ask IDS for the key validity.

Once the repository side has been setup, we can setup Share. Unfortunately, Share has no native support for JWT or for IDS and there is no way to do this without some customization, but Share supports external authentication and that mechanism could be reused in order to integrate our JWT in a header that Share will send to the repository side. With the external-auth setup, usually Share sends a header with the username that alfresco validates. The user has to exist in Alfresco, either created manually or synchronized from an external system like LDAP.

Our Share configuration is straight forward and if ever you configured external auth you will easily recognize it:

<connector>
        <id>alfrescoHeader</id>
        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
        <class>com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector</class>
        <userHeader>X-Alfresco-Remote-User</userHeader>
        <jwtHeader>WEB_TOKEN</jwtHeader>
     </connector>

This customization is provided in the above mentioned project and a howto is available here.

Now all this has been setup and if you used the sample JKS provided, you are good to login via the cloud gateway. Please be aware, that if you use OAuth2, you have to provide your application details and to configure it correctly with the provider of your choice. Also, it is mandatory that the username exists in Alfresco. All this can work with enterprise and with community.

If you try to login via the gateway you should receive the out of the box spring security login screen, with the configured OAuth2 services.

Regarding ADF applications, the way I do this kind of integration is to reuse the “kerberos configuration” where ADF simply proxies all the headers received and does not ask for login credentials (remember the external-auth, it just works).

With all this, it is quite easy to be a bit creative and find new ways to use the Alfresco platform. I also submitted a talk for the Devcon 2020, so finger crossed!

UPDATE:

Alfresco 6.2 needs another property setting in order to avoid a NPE that was fixed in Keycloak https://github.com/keycloak/keycloak/commit/9b2e7f6e2c96bc43fef820c141d27bf4dc09b84b

identity-service.register-node-at-startup=true

5 thoughts on “Simple JWT instead of Alfresco Identity Service

  1. Hi,
    I have followed given step for configuring the share module. Version , We are using is 6.2 and i got below error from share module when i start it.

    share_1 | 2021-02-26 21:41:19,876 ERROR [alfresco.web.site] [http-nio-8080-exec-8] org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.extensions.surf.exception.ConnectorServiceException: Unable to construct Connector for class: com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector, connector id: alfrescoHeader
    share_1 | org.springframework.extensions.surf.exception.ConnectorServiceException: Unable to construct Connector for class: com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector, connector id: alfrescoHeader

    Configured the external authentication in share setting as mentioned in alfresco documentation and changed the connector as mentioned in your documentation to support JWT token.

    1. Thank you for your response. The issue is resolved from configuration point of view. When we /share endpoint with configured gateway port, it is re-directed to Spring-Gateway-App’s login screen. On entering username and password, Some permission error is displayed in web browser instead of displaying share’s dashboard. When we check the log of share, It has given an error saying “unable to create an user and unable to retrieve the user”. Will raise an issue in github as you have mentioned. Meanwhile, If you have any idea about this error then let us know.

      1. Configured authentication chain with only identity service.
      2. Identity service configured as same as your github readme.
      3. Share-config-custom.xml file is configured with AlfrescoHeader in connector and required changes are done as per external authentication documentation mentioned in alfresco documentation.

      1. Hello there !

        First, Thanks Daniel for this great Job and nice presentation during the Alfresco webinar.

        I’m facing the same issue you described in your previous comment
        Unable to construct Connector for class: com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector, connector id: alfrescoHeader

        Could you tell me how you corrected this ?

        Thanks for your help.
        Christophe

        1. Hi Christophe,

          I personnaly do not know what Gunasekar did to solve his issue
          but in the link below, if you follow how to setup only share for external auth it should wor without any issue. You can share your config with me, but it would be better on github, I think Gunasekar opened an issue https://github.com/dgradecak/alfresco-jwt-auth/issues/1

          https://docs.alfresco.com/content-services/6.0/admin/auth-sync/#configure-alfresco-share-to-use-an-external-sso

Leave a Reply

Your email address will not be published. Required fields are marked *