sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Munteanu <romb...@apache.org>
Subject Re: Current state of SSO or OpenID Connect support in Sling
Date Mon, 27 May 2019 08:30:53 GMT
Hi Gaston,

On Mon, 2019-05-13 at 08:28 -0700, Gaston Gonzalez wrote:
> Hi Robert,
> 
> Thank you for providing the historical context. I spent the last few
> days reviewing and testing 
> https://github.com/apache/sling-whiteboard/pull/14 <
> https://github.com/apache/sling-whiteboard/pull/14> with Sling 11 and
> started to make a few updates in a local branch mostly related to
> pom.xml clean-up, error handling and logging. I noticed that the user
> account creation relies on SlingRepository.loginAdministrative()
> which has been marked for deprecation for some time. What’s the
> official position by the Sling community on using administrative
> sessions for user account creation? 

I personally think loginAdministrative is fine for some very specific
situations. This one could be one of them.

> I attempted to refactor the code to use a service user but it seems
> that I am missing some of the ACLs required to create user accounts.
> Is it worth using a service user for this use case or should I just
> stick with SlingRepository.loginAdministrative and whitelist the
> necessary bundles? I am currently using the following provisioning
> definition but it does not provide sufficient access to the service
> user to create a user.

Just start with loginAdministrative for now. In case we don't need it
later we can research how to change that.

> 
> [:repoinit]
>     create service user sling-oidc
> 
>     set ACL for sling-oidc
>         allow   jcr:read,rep:write    on /home
>     end
> 

> Secondly, I am not sure which is the best way to go regarding a
> clean-room implementation versus building on the work done in the PR
> above. I did a bit of research and found that OpenID has a process
> for certifying implementations. There are a couple of Java-based
> OpenID Connect (RP) client implementations that are certified (
> https://openid.net/developers/certified/) and are Apache licensed.
> The most promising seems to be 
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
> <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-
> Server>;, but bringing in Spring dependencies into Sling may be a
> non-starter, correct? Starting with a client library like this may be
> the best way to ensure a more secure and spec-compliant
> implementation. I’ll take another look at what Keycloak has in terms
> of a client JAR.

If someone else wrote a good client libraray, then why not :-) ? I
think there are a few criteria we should be looking at:

- license
- community support
- OSGi support

But in the end we should be able to pick something. And yes, for me
personally something based on Spring will make it harder to include and
maintain with Sling. Hopefully there are alternatives.

> 
> At any rate, I will be sharing a new GitHub project (sling-org-
> apache-sling-auth-oidc) shortly with my current work. Once it’s out
> there, shall   I take this discussion to JIRA (SLING-2759) or
> continue the discussion over the mailing list? I am new to the Sling
> community and would like to follow the best practices.

Sounds good! Feel free to discuss at any place - but since we started
here we might as well continue via email.

Thanks,

Robert

> 
> Thanks,
> 
> Gaston Gonzalez
> Senior Architect | www.headwire.com
> 
> 
> 
> > On May 10, 2019, at 12:55 AM, Robert Munteanu <rombert@apache.org>
> > wrote:
> > 
> > Hi Gaston,
> > 
> > On Thu, 2019-05-09 at 12:10 -0700, Gaston Gonzalez wrote:
> > > Hi All,
> > > 
> > > I have been researching an SSO solution for Sling for the last
> > > week
> > > and noticed that some work has been done around OpenID Connect.
> > > During my research I stumbled upon SLING-2759 and was able to get
> > > it
> > > working with Sling 11 using a couple of OpenID providers (e.g.,
> > > Google Identity Platform and Auth0). This ticket has been stale
> > > since
> > > August 2018 and I was wondering if I can help contribute to the
> > > development of this feature. I searched the Sling dev and user
> > > mailing list archives and can’t seem to find any work that would
> > > supersede SLING-2759. 
> > > 
> > > Is SLING-2759 still the front runner for supporting Open ID
> > > Connect? 
> > > Is there a better option on the table for supporting SSO in
> > > Sling?
> > > 
> > > I also stumbled upon an adaptTo() 2018 talk, "Modern
> > > Authentication
> > > in Sling with OpenID Connect and Keycloak” (
> > > https://www.youtube.com/watch?v=aaqpmmyylis <
> > > https://www.youtube.com/watch?v=aaqpmmyylis <
> > > https://www.youtube.com/watch?v=aaqpmmyylis>>;;) that seems to
> > > suggest
> > > that there is some interest in OpenID Connect + Sling.
> > 
> > I think it would be great if you would contribute towards OpenID
> > connect support in Sling! This is something I'm definitely
> > interested
> > in.
> > 
> > As for the "historical" state, here's what I could dig up>
> > 
> > 1. The solution in SLING-2759 has been expanded to
> > 
> >  https://github.com/apache/sling-whiteboard/pull/14 <
> > https://github.com/apache/sling-whiteboard/pull/14>
> > 
> > The code is not final, and has not been reviewed by someone with a
> > focus on security.
> > 
> > 2. The KeyCloak integration has a (proof of concept?) repository at
> > 
> >  https://github.com/dteleguin/sling-keycloak-integration <
> > https://github.com/dteleguin/sling-keycloak-integration>
> > 
> > I am not sure whether building on any of those or doing a clean-
> > room
> > implementation is better, as I have no experience with OpenID
> > connect. 
> > 
> > I also seem to remember that KeyCloak supposedly has a client jar
> > which
> > would make it much simpler to connect to OpenID connect providers,
> > at
> > least compared to the solution in SLING-2759.
> > 
> > Anyway, let me know of any more questions, I'd be happy to help if
> > needed.
> > 
> > Thanks!
> > 
> > Robert


Mime
View raw message