Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for configurable oAuth2 scopes #2513

Open
loftux opened this issue Mar 15, 2024 · 3 comments
Open

Add support for configurable oAuth2 scopes #2513

loftux opened this issue Mar 15, 2024 · 3 comments

Comments

@loftux
Copy link

loftux commented Mar 15, 2024

The oAuth2 scopes that Alfresco request from the authentication server needs to be configurable.
Currently hardcoded:
https://github.com/Alfresco/alfresco-community-repo/blob/master/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java#L384

Explanation
Trying to implement oAuth2 with Authentik, https://goauthentik.io I got an error saying "ERROR [site.servlet.AIMSFilter] [http-nio-8080-exec-2] Resulted in Error while doing refresh token refreshToken cannot be null"
Tracked it down to that you have to grant the "offline_access" scope for Authentik to send it
goauthentik/authentik#8660
I assume this also means the client (Alfresco has to request it), bit that is currently not possible.

Side note: I think using Authentik can be a good reference implementation to test that Alfresco has good support for oAuth2, and not just with keycloak.

@loftux
Copy link
Author

loftux commented Mar 15, 2024

I noticed that "offline_access" is available here for Admin console

private static final Set<String> SCOPES = Set.of("openid", "profile", "email", "offline_access");

I could get authentication to work for admin console, but not for anything more.

@damianujma for the ACS-6601

@loftux
Copy link
Author

loftux commented Mar 25, 2024

Maybe there is no need for a configurable setting for this, just add by default to IdentityServiceFacadeFactoryBean.
Not sure if there is a reason it is not there, that is why I'm not making a PR, maybe it does need to be omitted for other clients such as keycloak

Reference why I needed this change to get it to work with Authentik: https://docs.goauthentik.io/docs/providers/oauth2/#refresh_token

@loftux
Copy link
Author

loftux commented Mar 25, 2024

More references to "offline_access" are needed for the refresh token to be issued:

https://auth0.com/docs/secure/tokens/refresh-tokens/get-refresh-tokens
https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

interesting discussion manfredsteyer/angular-oauth2-oidc#1241 on how to interpret the standard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant