search

Alfresco / alfresco-community-repo

Community Content Service Repository
https://www.alfresco.com/it/ecm-software/alfresco-community-edition
GNU Lesser General Public License v3.0
142 stars 82 forks source link

Add support for configurable oAuth2 scopes #2513

Open loftux opened 8 months ago

loftux commented 8 months ago

The oAuth2 scopes that Alfresco request from the authentication server needs to be configurable. Currently hardcoded: https://github.com/Alfresco/alfresco-community-repo/blob/master/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java#L384

Explanation Trying to implement oAuth2 with Authentik, https://goauthentik.io I got an error saying "ERROR [site.servlet.AIMSFilter] [http-nio-8080-exec-2] Resulted in Error while doing refresh token refreshToken cannot be null" Tracked it down to that you have to grant the "offline_access" scope for Authentik to send it https://github.com/goauthentik/authentik/issues/8660 I assume this also means the client (Alfresco has to request it), bit that is currently not possible.

Side note: I think using Authentik can be a good reference implementation to test that Alfresco has good support for oAuth2, and not just with keycloak.

loftux commented 8 months ago

I noticed that "offline_access" is available here for Admin console https://github.com/Alfresco/alfresco-community-repo/blob/a73cf6a71d019fa90eb71d42dde3089adb2222d5/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java#L74

I could get authentication to work for admin console, but not for anything more.

@damianujma for the ACS-6601

loftux commented 7 months ago

Maybe there is no need for a configurable setting for this, just add by default to IdentityServiceFacadeFactoryBean. Not sure if there is a reason it is not there, that is why I'm not making a PR, maybe it does need to be omitted for other clients such as keycloak

Reference why I needed this change to get it to work with Authentik: https://docs.goauthentik.io/docs/providers/oauth2/#refresh_token

loftux commented 7 months ago

More references to "offline_access" are needed for the refresh token to be issued:

https://auth0.com/docs/secure/tokens/refresh-tokens/get-refresh-tokens https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

interesting discussion https://github.com/manfredsteyer/angular-oauth2-oidc/issues/1241 on how to interpret the standard.