Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 75188200D54 for ; Fri, 8 Dec 2017 08:09:07 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 7368B160C0D; Fri, 8 Dec 2017 07:09:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B8D65160BF2 for ; Fri, 8 Dec 2017 08:09:06 +0100 (CET) Received: (qmail 15320 invoked by uid 500); 8 Dec 2017 07:09:04 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 15211 invoked by uid 99); 8 Dec 2017 07:09:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Dec 2017 07:09:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A72DA1A0D16 for ; Fri, 8 Dec 2017 07:09:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.379 X-Spam-Level: ** X-Spam-Status: No, score=2.379 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id m_HnsDX2yBY2 for ; Fri, 8 Dec 2017 07:09:02 +0000 (UTC) Received: from mail-qt0-f171.google.com (mail-qt0-f171.google.com [209.85.216.171]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 7DD975F3DF for ; Fri, 8 Dec 2017 07:09:02 +0000 (UTC) Received: by mail-qt0-f171.google.com with SMTP id r39so23849260qtr.13 for ; Thu, 07 Dec 2017 23:09:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=BHsj7M5j0b90kY5lOx+yFLrficfw49DGn46wdPs4s+Q=; b=QYl/bCmpq5NFuOZSYhY5QJp+CAyfAW9QLqnvb0k3CGGmw+977ndnW1EMIq+/O8psQi 8yMdLBkb03m01i0oAcYnjlHjiqjF+Wc9w90WTZHnBKjlbLx+zS6tL7W0/fgMw/XokLYi WlKdiR9kM700We6T5MHqNcm9YbhdyCec6yNALLHY4KY0h/sAsQjlomwPV479qyxvUwyx lHUOtnEdBRzvPiuBPru9RZ0PWh1+4nrgXdSlL6PWAdVrw1o44BdpVRLjjVXYl+pyIMUa 23vp1AFHtEct5NXrZ+PtVrGqW4ajrK756joklLEzHoEF7LyuZhI4tY19qHRT7IiO9Zv0 37Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=BHsj7M5j0b90kY5lOx+yFLrficfw49DGn46wdPs4s+Q=; b=SBt0af570T0Xgd3zwAFU8aAqpUoac+uQ0cM0WV1aZ/VuyT7DCxTBct5bzDfRNzE/Co CLxKsr87dOuVv7PW+wM4yO+gN56G5ssZZqBw8UPuKQVmZNTOc5iHZJsk0AEKG6Jx3mqH LQf3qDmmzYfw8EmdERi/p2jFtULOhDdMw0Lm2yhKR+bawzbczwEq4u4hl7HEsAUuZVRA /eTpyqxXMzw77rMj17Xxn9uPlaU85OiHh01dXD/0nlFYHl8uT4NJUstKH5BdyhVUGQiJ UzlxUqauwHEQraN8tyG6ZZUek5/bIAwQHiWDXH9wp8WFbdFTlDIJFPClB4eV6RKw5/gQ IYGQ== X-Gm-Message-State: AKGB3mKhaeVxtGNBhs4ja0pz1k92fjEoNqmF9D2QHLvQmEDbKmoxWQJ+ wlbgLH2i2bZr+ghdxjqMTo19/VbvFYcwEkpTYjso7w== X-Google-Smtp-Source: AGs4zMZXGspGw2Y2GqGjHcy+taf3N52v/riOpqN8HyzT3hDeLe5QXbQqRSg2Jcim++Efew/nGBgqmwALvEmpMfggvm4= X-Received: by 10.55.99.214 with SMTP id x205mr35372045qkb.34.1512716941861; Thu, 07 Dec 2017 23:09:01 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.147.34 with HTTP; Thu, 7 Dec 2017 23:08:21 -0800 (PST) From: "Robert J. Carr" Date: Thu, 7 Dec 2017 23:08:21 -0800 Message-ID: Subject: Is it possible to externally authenticate using OAuth? To: Tomcat Users List Content-Type: multipart/alternative; boundary="94eb2c05b614f72a05055fcedbda" archived-at: Fri, 08 Dec 2017 07:09:07 -0000 --94eb2c05b614f72a05055fcedbda Content-Type: text/plain; charset="UTF-8" [tomcat 8, java 8, ubuntu xenial] I have setup security constraints that allow certain resources to only be accessed by authorized users. The users are authenticated using either BASIC or FORM, where a username and password is provided, and this works great. However, I'd also like to allow users to authenticate externally using an oauth provider. Is this possible? Note that I can already acquire the access tokens for the user, and from there I can get the username and other profile metadata as necessary. But how do I then log the user into tomcat? The only way I can think to make this work is to take this username and create a tomcat account, maybe setting the access token as the password if it matters. Then I could do a programmatic tomcat login on behalf of the user, so she is locally authenticated and a session is created. On subsequent logins I'd just update the password to the new access token. But this seems like a hack, and when it comes to users and security I'd prefer to avoid hacks. It looks like JASPIC might offer a solution for this? Unfortunately, it looks like it became available starting at 8.5 but I'm stuck using 8. Are there any other options? Thanks! Robert --94eb2c05b614f72a05055fcedbda--