Warning This bundle is under development, do not use in production.
This bundle add support for Sling-based applications to function as Open ID connect relying parties. Its main objective is to simplify access to user and access tokens in a secure manner.
mvn clean install
does not find the bundle generated in the current reactor build.An OpenID Connect client must be registrered with an authorization server, and a callback URL of $HOST/system/sling/oidc/callback registered. This is typically http://localhost:8080/system/sling/oidc/callback .
Validated providers:
A number of additional bundles need to be added to the Sling Starter, see the feature model definition at src/main/features/main.json .
After deploying the bundle using mvn package sling:install
go to http://localhost:8080/system/console/configMgr and create a new configuration factory instance for OpenID Connect connection details. Write down the name property, we'll refer to it as $CONNECTION_NAME
.
Ensure you are logged in.
At this point you can navigate to /home/users/${USERNAME}/oidc-tokens/${CONNECTION_NAME} and you will see the stored access token.
mvn clean install
mvn feature-launcher:start feature-launcher:stop -Dfeature-launcher.waitForInput
export CLIENT_SECRET=$(cat src/test/resources/keycloak-import/sling.json | jq --raw-output '.clients[] | select (.clientId == "oidc-test") | .secret') $ curl -u admin:admin -X POST -d "apply=true" -d "propertylist=name,baseUrl,clientId,clientSecret,scopes" \ -d "name=keycloak-dev" \ -d "baseUrl=http://localhost:8081/realms/sling" \ -d "clientId=oidc-test"\ -d "clientSecret=$CLIENT_SECRET" \ -d "scopes=openid" \ -d "factoryPid=org.apache.sling.servlets.oidc_rp.impl.OidcConnectionImpl" \ http://localhost:8080/system/console/configMgr/org.apache.sling.servlets.oidc_rp.impl.OidcConnectionImpl~keycloak-dev
Now you can
Note that this imports the test setup with a single user with a redirect_uri set to http://localhost*, which can be a security issue.
$ docker run --rm --volume $(pwd)/src/test/resources/keycloak-import:/opt/keycloak/data/import -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.3 start-dev --import-realm
$ docker run --rm --volume $(pwd)/keycloak-data:/opt/keycloak/data -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.3 start-dev
TODO
org.apache.sling.servlets.oidc_rp.impl.OidcConnectionImpl name: keycloak baseUrl: http://localhost:8081/realms/sling clientId: oidc-test clientSecret: ( copied from above) scopes: openid
$ docker run --rm --volume (pwd)/keycloak-data:/opt/keycloak/data -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.3 export --realm sling --users realm_file --file /opt/keycloak/data/export/sling.json