AnsweredAssumed Answered

Alfresco Authorization Server

Question asked by binduwavell on Mar 31, 2017
Latest reply on Sep 28, 2017 by resplin

I noticed this bullet point for the upcoming release of alfresco-js-api 1.3.0:

This is then backed up by this commit:

 

From these, I discovered this documentation:

 

These docs are a good start, but they definitely need a bunch more love .

 

From the architecture diagram and some of the text it appears that this can authenticate against content services and also possibly perform proxying to content and process services in addition to handling most of the oauth flows. We can infer from the config parameters that this is using Netflix Zuul to perform proxying/routing. Can we use this to serve directly or proxy to ADF apps? Can we use this to perform any kind of intelligent load balancing for content or process services? Does this allow us to get away from the "CORS hell" we've been in for the last year?

 

It is not clear to me how this “micro service” integrates with content services. Should we run it in it's own app server, in the content services or process services app server?

 

It is not clear if we can use this to authorize access to Share or only Process Services (and soon alfresco-js-api, and presumably ADF apps.) The docs seem to indicate that the identity is actually maintained by content services. Other than providing a URL for process services, I couldn't find any information about how these components interact with each other. How does Alfresco Authorization Server establish your identity from the repository? Do we have to do any configuration on the repository side?

 

The docs do link to a WAR file on artifacts.alfresco.com. This artifact requires Alfresco Process Services Enterprise credentials. Why is this tied to Process Services if it's going to be used by ADF (and hopefully Share)? Is this going to be made away to folks using the community edition of content or process services? ADF can be used with the community edition of content services at this point, even though it can't yet be used with the community version of process services.

 

The docs indicate that a third party OAuth2 provider (Ping Identity is suggested, what about Google Auth?) can be utilized by Alfresco Process Services. This part of the diagram appears to bypass the Alfresco Authorization Server. If this server provides useful proxying support for ADF or any kind of other intelligent routing, I wonder if it would be possible for the third party identity provider to relay through the Alfresco Authorization Server?

 

Any chance that Alfresco Authorization Server has (or will add) support for non OAuth2 SSO providers (AD/LDAP, CAS, external, Kerberos, NTLM, SAML2, SiteMinder)? It would be amazing to have a single (hopefully well documented) component providing comprehensive Authorization services to the Alfresco product portfolio; so we can configure auth once and have it work the same with Content Services, Share, Process Services and ADF apps.

 

In any case, I'm very excited about some of the possible use cases with adding native OAuth2 capabilities to the Alfresco portfolio and I'm looking forward to hearing more about the existing capabilities and also any plans for the future.

 

What others in the community are thinking about these developments?

Outcomes