search

tsgrp / OpenAnnotate

TSG's Browser-based Annotation Tool
8 stars 4 forks source link

AEV not authenticating properly with ADF application using SSO #930

Closed gsteimer closed 2 years ago

gsteimer commented 2 years ago

When using AEV via an ADF application, authentication fails when using SSO. From the research @m-brouillette has done, it seems that instead of a ticket, a token is provided instead by SSO, causing OC to reject authentication. Here's the code:

    getAEVUrl(): SafeResourceUrl {
        // update the src of the iframe to AEV's external authorization passing
        // the user login, ticket, and the id of the selected document
        let aevDocumentUrl = this.aevConfig.properties.endpoints.aev // assuming AEV is on same server as ADF
            + '/login/external.htm?'
            + 'docId=' + this.aevConfig.properties.alfrescoDocumentStorePrefix + this.node.id
            + '&username=' +  localStorage.getItem('ACS_USERNAME')
            + '&ticket=' + localStorage.getItem('ticket-ECM');
        return this.sanitizer.bypassSecurityTrustResourceUrl(aevDocumentUrl);
    }

Interestingly enough, it seems that video files are loading fine in AEV Video. Here's the relevant video code:

   getAEVUrlForVideo(): SafeResourceUrl {
        // update the src of the iframe to AEV's external authorization passing
        // the user login, ticket, and the id of the selected document
        let aevDocumentUrl = this.aevConfig.properties.endpoints.aevVideo // assuming AEV is on same server as ADF
            + '/#/login?'
            + 'docName=' + encodeURIComponent(this.node.name) 
            + '&docId=' + this.aevConfig.properties.alfrescoDocumentStorePrefix + this.node.id
            + '&username=' +  localStorage.getItem('ACS_USERNAME');

        // for auth we need to set the cookie before we return
        document.cookie = "ticket" + "=" + localStorage.getItem('ticket-ECM') + ";" + "path=/";

        return this.sanitizer.bypassSecurityTrustResourceUrl(aevDocumentUrl);
    }

We are not sure if the video code is somehow doing it the "right" way, or if it's working based on coincidence since usually the users are clicking on a doc, logging in via the AEV login screen, and then afterwards trying a video. Perhaps it is the order of actions and if the user clicked on a video first it would not work. Unknown at this point.

NOTE: We should vet any designed solution with ADF experts before moving forward with writing code

Some other notes:

if 'ticket-ECM' is a ticket
  use it
else
  translate the token to a ticket

Another interesting tidbit here is that the customer is using External Auth, so header based. How does ADF convert Header Based auth to token or ticket in order to call into Alfresco. Might be an avenue to determine how the AEV component could recreate whatever ADF does in order to authenticate back to ACS

Priority - marking for 3.5 for now, but this may end up needing to be on a patch release due to customer escalation.

gsteimer commented 2 years ago

See also: https://alfresco.atlassian.net/browse/MNT-22640

m-brouillette commented 2 years ago

It should be noted that the most up-to-date version of the code is using the ADF service methods for grabbing the ticket, not getting them from local storage directly:

image

engerernoah commented 2 years ago

Closing with aca-aev git repo commit https://git.tsgrp.com/root/aca-aev/-/commit/c29538ba3d28f8e4f548bb6223ac85b0f34d6cd0 AEV NOT AUTHENTICATING PROPERLY WITH ADF APPLICATION USING SSO: Fixing how we retrieve the ticket to include support for SSO enabled adf environments. Ticket code has been updated for AEV and AEVV, in the future these will likely be combined. CR: mbrouillette, jharkins

Test script updates in AEV revision 7467: AEV FOR ADF WITH SSO TEST SCRIPT UPDATE - Updating the ADF test script to include a test sheet for SSO enabled environments. This includes a link to a git repo that was created as part of testing ADF with AEV and SSO. This repo needs to be pulled down when going through the test scripts.

CR: mbrouillette, skovacinski