dgradecak / alfresco-jwt-auth Goto Github PK

Hi again,

I think I have everything set correctly, I didn't go further really off the example. When I use username and password in the gateway I get this:

{ "error": { "errorKey": "framework.exception.ApiDefault", "statusCode": 401, "briefSummary": "00260002 Authorization 'Bearer' not supported.", "stackTrace": "For security reasons the stack trace is no longer displayed, but the property is kept for previous versions", "descriptionURL": "https://api-explorer.alfresco.com" } }

Also, I am not sure what should I put in the redirect-uri. I am using google cloud only for testing and when I click to sign in with google it always sends me to the http://localhost:9595/login page

Thanks in advance

I have used Spring Cloud Gateway (cloned from your Github repo) and configured it to use Google as my Identity Provider. Upon successful redirection and issuing of token, I am redirected to Alfresco Community (6.2 / 7.0 Snapshot) on Docker. When I attempt to go into Admin console, I am getting following error when browsing to admin console.

In 7.0 Snapshot (Within Browser and Via API Explorer)
Authorisation 'Bearer' not supported.

In 6.2
(Within Browser)
Attempted to login into admin console using non-admin credentials
(Within API Explorer)
Authorisation 'Bearer' not supported.

As for configuration
Passed Properties

-Dauthentication.chain=identity-service1:identity-service
-Didentity-service.register-node-at-startup=true
-Didentity-service.authentication.enabled=true
-Didentity-service.authentication.enable-username-password-authentication=false
-Didentity-service.bearer-only=true
-Didentity-service.realm-public-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsR2E4gZpYgv3tw6KDf6Ms89W/1/UKQY5uQTcPGwUMJkbRgW0ovO9nxQiOmxPr/gs0dS9DVnpbPh9SuDuRDEDrFdyvrkU+4SHAJYoh82OjLrBhnEH9pC/OEG/vxHUCv0qBbIeaoNaTittnHW4YcTKxchVCJM4F0L4tsP6B8kKMaOyTVE9Q2tJu5ipiB6Q/xU45B9mlDELr+U6JRsdbAHSATKGWENVbTNcw0DvaprHT2l2fhSqrN81pTuFvV6VH3b0YNqLVdwUiVvZ13/1MTeDyCk0CCf5ejkbP2WaVwOdzDjL79K6dhjzIjggT6Ggzw/VrPwJ6WTwE+IVOkmCdBocCwIDAQAB

As Java Options (in Docker Compose file) for Alfresco Container

Also Attempted to update alfresco-global.properties (empty to begin with) within docker container

authentication.chain=identity-service1:identity-service
identity-service.register-node-at-startup=true
identity-service.authentication.enabled=true
identity-service.authentication.enable-username-password-authentication=false
identity-service.bearer-only=true
identity-service.realm-public-key=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsR2E4gZpYgv3tw6KDf6Ms89W/1/UKQY5uQTcPGwUMJkbRgW0ovO9nxQiOmxPr/gs0dS9DVnpbPh9SuDuRDEDrFdyvrkU+4SHAJYoh82OjLrBhnEH9pC/OEG/vxHUCv0qBbIeaoNaTittnHW4YcTKxchVCJM4F0L4tsP6B8kKMaOyTVE9Q2tJu5ipiB6Q/xU45B9mlDELr+U6JRsdbAHSATKGWENVbTNcw0DvaprHT2l2fhSqrN81pTuFvV6VH3b0YNqLVdwUiVvZ13/1MTeDyCk0CCf5ejkbP2WaVwOdzDjL79K6dhjzIjggT6Ggzw/VrPwJ6WTwE+IVOkmCdBocCwIDAQAB

Both options were tried but result was same.

Any help from yourself will be greatly appreciated.

Thanks in advance.

Hello

I have cloned and configured your latest master to work as following

1. Use Admin / Password for creating JWT token and Signing in to Going to Admin Console (where Alfresco Community Repository 6.2 is in Docker; and
2. Added following properties to application.yml to include Github as Authorisation Server / Provider

spring:
  security:
    oauth2:
      client:
        registration:
          github:
            provider: github
            client-id: LEFT BLANK INTENTIONALLY
            client-secret:LEFT BLANK INTENTIONALLY
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/login/oauth2/code/github"
            scope: openid,profile,email

and

provider:
          github:
            user-info-uri: https://api.github.com/user
            user-name-attribute: login

I have also enabled DEBUG logging.

I have noticed in debug logging that upon sigining-in the code and state comes from Github which then is followed by access_token being issued

[825503a2-4] HTTP GET "/login/oauth2/code/github?code=0bacae4db7563c603a0b&state=kyS0tMlH8R9lRcC4fP5Ck48x04IlgyuYSNVvTP0EP2c%3D"
2021-06-04 11:28:02.598 DEBUG 41680 --- [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [487da5ae] HTTP POST https://github.com/login/oauth/access_token
2021-06-04 11:28:02.801 DEBUG 41680 --- [ctor-http-nio-4] o.s.http.codec.FormHttpMessageWriter     : [487da5ae] Writing form fields [grant_type, code, redirect_uri] (content masked)
2021-06-04 11:28:03.005 DEBUG 41680 --- [ctor-http-nio-4] o.s.w.r.f.client.ExchangeFunctions       : [487da5ae] Response 200 OK
2021-06-04 11:28:03.028 DEBUG 41680 --- [ctor-http-nio-4] o.s.http.codec.json.Jackson2JsonDecoder  : [487da5ae] Decoded [{access_token=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, token_type=bearer, scope=}]
2021-06-04 11:28:03.033 DEBUG 41680 --- [ctor-http-nio-4] o.s.w.r.f.client.ExchangeFunctions       : [487da5ae] Cancel signal (to close connection)

Issue is that after getting access token it closes the connection and does not hit JwtBearerAuthorizationHeaderGatewayFilterFactory apply method for create a JWT.

The result of all the above is the login form says "Invalid Credentials", when actually the credentials are correct as access token was issued.

I am unsure / confused if this is to do with configuration or something missing in the code.

Any help will be hugely appreciated.

Thanks.

PS: Thanks for a lovely walkthrough in webinar at Alfresco. I have learnt a good amount from that demo.

Hi!
I am testing in Alfresco 7.0 and I found a bug in alfresco-jwt-auth-subsystem module
this class is not found => org.alfresco.repo.security.authentication.cloudgateway.IdentityServiceRemoteUserMapper
Maybe is a error in package cloudgateway ?

Thank you!

Hi,
Tried the configuration given in the ReadMe,but still share is not able to receive the token.
Below are the share logs

 Caused by: org.springframework.extensions.surf.exception.UserFactoryException: Unable to create user - failed to retrieve user metadata:

^[[34mshare_1 |^[[0m at org.springframework.extensions.surf.support.AlfrescoUserFactory.loadUser(AlfrescoUserFactory.java:185)

 ERROR [alfresco.web.site] [http-nio-8080-exec-2] org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository

^[[34mshare_1 |^[[0m org.springframework.extensions.surf.exception.UserFactoryException: Unable to retrieve user from repository

Share config changes

        <verify-hostname>true</verify-hostname>
     </ssl-config>

     <connector>
        <id>alfrescoCookie</id>
        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using cookie-based authentication</description>
        <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
     </connector>

     <connector>
        <id>alfrescoHeader</id>
        <name>Alfresco Connector</name>
        <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
        <!--<class>com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector</class>
        <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>-->
        <class>com.gradecak.alfresco.share.authorization.JwtAuthorizationAlfrescoConnector</class>
        <userHeader>X-Alfresco-Remote-User</userHeader>
        <jwtHeader>WEB_TOKEN</jwtHeader>
     </connector>

Please help us what could be the reason for the error in share.

So, in Alfresco Document Management Repository we are allowed to setup identity-server (like you have done in this codebase) that can be used to authenticate / authorise users to browse folders/ files etc. In the solution (that is skewed by Keycloak (style) as identity server), following checks are made on the bearer token:

1. Is token validate (this is done using the public key)
2. Is token of type (typ: Bearer),
3. Is token issuer url (iss) of the following shape: https://identity-server:port/context/realm/realm-name

Note that we have a mandatory element of realm in the url, which can cause validation to fail as not all identity providers follow that pattern.
e.g. is Apereo CAS it is https://identity-server:port/cas/oidc
where cas can be context and oidc can be realm-name but they keyword realm has no place in the URL.

Idea is to make properties such that this matching criteria can be made flexible.

This will open the solution to no Keycloak identity providers that token validation could be whatever if offered by identity provider.

Thanks.

Most identity-providers offer JWKS URI for getting public key to validate the token. This is useful especially when there are rotating keys and JWT indicates use of kid in header. Currently we have only single public key passed as property

alfresco-jwt.realm-public-key=

If we have jwks uri then it could potentially reduce key copy pasting issue and will also handle rotating keys.

For example:
alfresco-jwt.jwks-uri=
Public key can be then be fetched from e.g. http://localhost:8180/cas/oidc/jwks

Thanks.

Hello Daniel

I have a setup where Alfresco Content Repository is running in Docker and I have enabled following settings in docker compose file to allow for bearer JWT token to be method of authentication

-Dauthentication.chain=identity-service1:identity-service
-Didentity-service.register-node-at-startup=true
-Didentity-service.authentication.enabled=true
-Didentity-service.authentication.enable-username-password-authentication=false
-Didentity-service.bearer-only=true
-Didentity-service.realm-public-key=INTENTIONALLY BLANK

When attempting to reach admin console via above settings using Spring Cloud Gateway to generate token (all is ok).

When attempting to reach admin console via above settings, where token is issued by Authorisation Server (Apereo CAS), I get error saying Authorisation 'Bearer' not supported. I do get that same error when I attempt REST API calls.

I have found it is the issuer (iss) in JWT token payload that is different in my case. If I update iss to http://localhost:8180/auth/realms/alfresco , all is ok.

I cannot locate any setting on repository side that is looking for this validation.

Any insights will be useful.

The version of Afresco Content Repository that I am using is 6.2.0-ga Community edition.

Thanks in advance.

Hi, First thanks for the hard work here giving some light on how to achieve OAuth with Alfresco

I am trying to reproduce this example. I have set everything in an Alfresco 6.2 community as it is and how it is stated in the example here but when I start alfresco I get the following exception

`
wks-docker-wks-platform-repo-acs-1 | Caused by: java.lang.NullPointerException

wks-docker-wks-platform-repo-acs-1 | at org.keycloak.adapters.KeycloakDeployment.getClient(KeycloakDeployment.java:264)

wks-docker-wks-platform-repo-acs-1 | ... 59 more
`
Any idea?

Thanks in advance

Can we use the JWT tokens with APS service similar to how you have described for other Alfresco products?
I checked the source code of APS and today it does not provides out of the box support for JWK URI/public key and and decoding JWT tokens in its OAUTH2 implementation.