You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Gaston Gonzalez <gg...@headwire.com> on 2019/05/09 19:10:29 UTC
Current state of SSO or OpenID Connect support in Sling
Hi All,
I have been researching an SSO solution for Sling for the last week and noticed that some work has been done around OpenID Connect. During my research I stumbled upon SLING-2759 and was able to get it working with Sling 11 using a couple of OpenID providers (e.g., Google Identity Platform and Auth0). This ticket has been stale since August 2018 and I was wondering if I can help contribute to the development of this feature. I searched the Sling dev and user mailing list archives and can’t seem to find any work that would supersede SLING-2759.
Is SLING-2759 still the front runner for supporting Open ID Connect?
Is there a better option on the table for supporting SSO in Sling?
I also stumbled upon an adaptTo() 2018 talk, "Modern Authentication in Sling with OpenID Connect and Keycloak” (https://www.youtube.com/watch?v=aaqpmmyylis <https://www.youtube.com/watch?v=aaqpmmyylis>) that seems to suggest that there is some interest in OpenID Connect + Sling.
Any thoughts would be appreciated.
Thanks,
Gaston Gonzalez
Senior Architect | www.headwire.com
Re: Current state of SSO or OpenID Connect support in Sling
Posted by Robert Munteanu <ro...@apache.org>.
Hi Gaston,
On Mon, 2019-05-13 at 08:28 -0700, Gaston Gonzalez wrote:
> Hi Robert,
>
> Thank you for providing the historical context. I spent the last few
> days reviewing and testing
> https://github.com/apache/sling-whiteboard/pull/14 <
> https://github.com/apache/sling-whiteboard/pull/14> with Sling 11 and
> started to make a few updates in a local branch mostly related to
> pom.xml clean-up, error handling and logging. I noticed that the user
> account creation relies on SlingRepository.loginAdministrative()
> which has been marked for deprecation for some time. What’s the
> official position by the Sling community on using administrative
> sessions for user account creation?
I personally think loginAdministrative is fine for some very specific
situations. This one could be one of them.
> I attempted to refactor the code to use a service user but it seems
> that I am missing some of the ACLs required to create user accounts.
> Is it worth using a service user for this use case or should I just
> stick with SlingRepository.loginAdministrative and whitelist the
> necessary bundles? I am currently using the following provisioning
> definition but it does not provide sufficient access to the service
> user to create a user.
Just start with loginAdministrative for now. In case we don't need it
later we can research how to change that.
>
> [:repoinit]
> create service user sling-oidc
>
> set ACL for sling-oidc
> allow jcr:read,rep:write on /home
> end
>
> Secondly, I am not sure which is the best way to go regarding a
> clean-room implementation versus building on the work done in the PR
> above. I did a bit of research and found that OpenID has a process
> for certifying implementations. There are a couple of Java-based
> OpenID Connect (RP) client implementations that are certified (
> https://openid.net/developers/certified/) and are Apache licensed.
> The most promising seems to be
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
> <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-
> Server>;, but bringing in Spring dependencies into Sling may be a
> non-starter, correct? Starting with a client library like this may be
> the best way to ensure a more secure and spec-compliant
> implementation. I’ll take another look at what Keycloak has in terms
> of a client JAR.
If someone else wrote a good client libraray, then why not :-) ? I
think there are a few criteria we should be looking at:
- license
- community support
- OSGi support
But in the end we should be able to pick something. And yes, for me
personally something based on Spring will make it harder to include and
maintain with Sling. Hopefully there are alternatives.
>
> At any rate, I will be sharing a new GitHub project (sling-org-
> apache-sling-auth-oidc) shortly with my current work. Once it’s out
> there, shall I take this discussion to JIRA (SLING-2759) or
> continue the discussion over the mailing list? I am new to the Sling
> community and would like to follow the best practices.
Sounds good! Feel free to discuss at any place - but since we started
here we might as well continue via email.
Thanks,
Robert
>
> Thanks,
>
> Gaston Gonzalez
> Senior Architect | www.headwire.com
>
>
>
> > On May 10, 2019, at 12:55 AM, Robert Munteanu <ro...@apache.org>
> > wrote:
> >
> > Hi Gaston,
> >
> > On Thu, 2019-05-09 at 12:10 -0700, Gaston Gonzalez wrote:
> > > Hi All,
> > >
> > > I have been researching an SSO solution for Sling for the last
> > > week
> > > and noticed that some work has been done around OpenID Connect.
> > > During my research I stumbled upon SLING-2759 and was able to get
> > > it
> > > working with Sling 11 using a couple of OpenID providers (e.g.,
> > > Google Identity Platform and Auth0). This ticket has been stale
> > > since
> > > August 2018 and I was wondering if I can help contribute to the
> > > development of this feature. I searched the Sling dev and user
> > > mailing list archives and can’t seem to find any work that would
> > > supersede SLING-2759.
> > >
> > > Is SLING-2759 still the front runner for supporting Open ID
> > > Connect?
> > > Is there a better option on the table for supporting SSO in
> > > Sling?
> > >
> > > I also stumbled upon an adaptTo() 2018 talk, "Modern
> > > Authentication
> > > in Sling with OpenID Connect and Keycloak” (
> > > https://www.youtube.com/watch?v=aaqpmmyylis <
> > > https://www.youtube.com/watch?v=aaqpmmyylis <
> > > https://www.youtube.com/watch?v=aaqpmmyylis>>;;) that seems to
> > > suggest
> > > that there is some interest in OpenID Connect + Sling.
> >
> > I think it would be great if you would contribute towards OpenID
> > connect support in Sling! This is something I'm definitely
> > interested
> > in.
> >
> > As for the "historical" state, here's what I could dig up>
> >
> > 1. The solution in SLING-2759 has been expanded to
> >
> > https://github.com/apache/sling-whiteboard/pull/14 <
> > https://github.com/apache/sling-whiteboard/pull/14>
> >
> > The code is not final, and has not been reviewed by someone with a
> > focus on security.
> >
> > 2. The KeyCloak integration has a (proof of concept?) repository at
> >
> > https://github.com/dteleguin/sling-keycloak-integration <
> > https://github.com/dteleguin/sling-keycloak-integration>
> >
> > I am not sure whether building on any of those or doing a clean-
> > room
> > implementation is better, as I have no experience with OpenID
> > connect.
> >
> > I also seem to remember that KeyCloak supposedly has a client jar
> > which
> > would make it much simpler to connect to OpenID connect providers,
> > at
> > least compared to the solution in SLING-2759.
> >
> > Anyway, let me know of any more questions, I'd be happy to help if
> > needed.
> >
> > Thanks!
> >
> > Robert
Re: Current state of SSO or OpenID Connect support in Sling
Posted by Gaston Gonzalez <gg...@headwire.com>.
Hi Robert,
Thank you for providing the historical context. I spent the last few days reviewing and testing https://github.com/apache/sling-whiteboard/pull/14 <https://github.com/apache/sling-whiteboard/pull/14> with Sling 11 and started to make a few updates in a local branch mostly related to pom.xml clean-up, error handling and logging. I noticed that the user account creation relies on SlingRepository.loginAdministrative() which has been marked for deprecation for some time. What’s the official position by the Sling community on using administrative sessions for user account creation? I attempted to refactor the code to use a service user but it seems that I am missing some of the ACLs required to create user accounts. Is it worth using a service user for this use case or should I just stick with SlingRepository.loginAdministrative and whitelist the necessary bundles? I am currently using the following provisioning definition but it does not provide sufficient access to the service user to create a user.
[:repoinit]
create service user sling-oidc
set ACL for sling-oidc
allow jcr:read,rep:write on /home
end
Secondly, I am not sure which is the best way to go regarding a clean-room implementation versus building on the work done in the PR above. I did a bit of research and found that OpenID has a process for certifying implementations. There are a couple of Java-based OpenID Connect (RP) client implementations that are certified (https://openid.net/developers/certified/) and are Apache licensed. The most promising seems to be https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server>, but bringing in Spring dependencies into Sling may be a non-starter, correct? Starting with a client library like this may be the best way to ensure a more secure and spec-compliant implementation. I’ll take another look at what Keycloak has in terms of a client JAR.
At any rate, I will be sharing a new GitHub project (sling-org-apache-sling-auth-oidc) shortly with my current work. Once it’s out there, shall I take this discussion to JIRA (SLING-2759) or continue the discussion over the mailing list? I am new to the Sling community and would like to follow the best practices.
Thanks,
Gaston Gonzalez
Senior Architect | www.headwire.com
> On May 10, 2019, at 12:55 AM, Robert Munteanu <ro...@apache.org> wrote:
>
> Hi Gaston,
>
> On Thu, 2019-05-09 at 12:10 -0700, Gaston Gonzalez wrote:
>> Hi All,
>>
>> I have been researching an SSO solution for Sling for the last week
>> and noticed that some work has been done around OpenID Connect.
>> During my research I stumbled upon SLING-2759 and was able to get it
>> working with Sling 11 using a couple of OpenID providers (e.g.,
>> Google Identity Platform and Auth0). This ticket has been stale since
>> August 2018 and I was wondering if I can help contribute to the
>> development of this feature. I searched the Sling dev and user
>> mailing list archives and can’t seem to find any work that would
>> supersede SLING-2759.
>>
>> Is SLING-2759 still the front runner for supporting Open ID Connect?
>> Is there a better option on the table for supporting SSO in Sling?
>>
>> I also stumbled upon an adaptTo() 2018 talk, "Modern Authentication
>> in Sling with OpenID Connect and Keycloak” (
>> https://www.youtube.com/watch?v=aaqpmmyylis <
>> https://www.youtube.com/watch?v=aaqpmmyylis <https://www.youtube.com/watch?v=aaqpmmyylis>>;) that seems to suggest
>> that there is some interest in OpenID Connect + Sling.
>
> I think it would be great if you would contribute towards OpenID
> connect support in Sling! This is something I'm definitely interested
> in.
>
> As for the "historical" state, here's what I could dig up>
>
> 1. The solution in SLING-2759 has been expanded to
>
> https://github.com/apache/sling-whiteboard/pull/14 <https://github.com/apache/sling-whiteboard/pull/14>
>
> The code is not final, and has not been reviewed by someone with a
> focus on security.
>
> 2. The KeyCloak integration has a (proof of concept?) repository at
>
> https://github.com/dteleguin/sling-keycloak-integration <https://github.com/dteleguin/sling-keycloak-integration>
>
> I am not sure whether building on any of those or doing a clean-room
> implementation is better, as I have no experience with OpenID connect.
>
> I also seem to remember that KeyCloak supposedly has a client jar which
> would make it much simpler to connect to OpenID connect providers, at
> least compared to the solution in SLING-2759.
>
> Anyway, let me know of any more questions, I'd be happy to help if
> needed.
>
> Thanks!
>
> Robert
Re: Current state of SSO or OpenID Connect support in Sling
Posted by Robert Munteanu <ro...@apache.org>.
Hi Gaston,
On Thu, 2019-05-09 at 12:10 -0700, Gaston Gonzalez wrote:
> Hi All,
>
> I have been researching an SSO solution for Sling for the last week
> and noticed that some work has been done around OpenID Connect.
> During my research I stumbled upon SLING-2759 and was able to get it
> working with Sling 11 using a couple of OpenID providers (e.g.,
> Google Identity Platform and Auth0). This ticket has been stale since
> August 2018 and I was wondering if I can help contribute to the
> development of this feature. I searched the Sling dev and user
> mailing list archives and can’t seem to find any work that would
> supersede SLING-2759.
>
> Is SLING-2759 still the front runner for supporting Open ID Connect?
> Is there a better option on the table for supporting SSO in Sling?
>
> I also stumbled upon an adaptTo() 2018 talk, "Modern Authentication
> in Sling with OpenID Connect and Keycloak” (
> https://www.youtube.com/watch?v=aaqpmmyylis <
> https://www.youtube.com/watch?v=aaqpmmyylis>;) that seems to suggest
> that there is some interest in OpenID Connect + Sling.
I think it would be great if you would contribute towards OpenID
connect support in Sling! This is something I'm definitely interested
in.
As for the "historical" state, here's what I could dig up>
1. The solution in SLING-2759 has been expanded to
https://github.com/apache/sling-whiteboard/pull/14
The code is not final, and has not been reviewed by someone with a
focus on security.
2. The KeyCloak integration has a (proof of concept?) repository at
https://github.com/dteleguin/sling-keycloak-integration
I am not sure whether building on any of those or doing a clean-room
implementation is better, as I have no experience with OpenID connect.
I also seem to remember that KeyCloak supposedly has a client jar which
would make it much simpler to connect to OpenID connect providers, at
least compared to the solution in SLING-2759.
Anyway, let me know of any more questions, I'd be happy to help if
needed.
Thanks!
Robert