我将如何在 Gentics Mesh 中实施 Okta 身份验证?
[英]How would I implement Okta Authentication in Gentics Mesh?
问题描述
Gentics Mesh comes with support for Keycloak built-in, but I'd like to use Okta instead. 
Gentics Mesh 支持内置 Keycloak,但我想改用 Okta。
What's best practice?什么是最佳实践?
Would it require modifying Mesh source code?是否需要修改Mesh源代码?
Or maybe I should handle authentication in a middleware layer?或者我应该在中间件层处理身份验证?
Or could I implement the AuthServicePlugin to validate a token from Okta?或者我可以实现 AuthServicePlugin 来验证来自 Okta 的令牌吗?
https://github.com/gentics/mesh/blob/dev/plugin-api/src/main/java/com/gentics/mesh/plugin/auth/AuthServicePlugin.java https://github.com/gentics/mesh/blob/dev/plugin-api/src/main/java/com/gentics/mesh/plugin/auth/AuthServicePlugin.java
Update更新
I've tried using my Okta server in the mesh.yml config, but an exception is thrown.我已经尝试在 mesh.yml 配置中使用我的 Okta 服务器,但抛出了异常。
This is the OIDC url for my Okta service -这是我的 Okta 服务的 OIDC 网址 -
https://{yourOktaDomain}/oauth2/v1/authorize
Unfortunately, the OAuth2 implementation seems to be Keycloak specific -不幸的是,OAuth2 实现似乎是特定于 Keycloak 的 -
com.gentics.mesh.core.rest.error.GenericRestException: 500 Internal Server Error oauth_config_error at com.gentics.mesh.core.rest.error.Errors.error(Errors.java:124) ... Caused by: java.lang.RuntimeException: Error while loading realm info. Got code {404} at com.gentics.mesh.auth.MeshOAuth2ServiceImpl.fetchPublicRealmInfo(MeshOAuth2ServiceImpl.java:451)
It looks like it's piecing together a url that won't work for Okta.看起来它拼凑了一个不适用于 Okta 的网址。
https://github.com/gentics/mesh/blob/f85dac8bf954248a6556323d792e6b849fb1d593/services/keycloak-auth/src/main/java/com/gentics/mesh/auth/MeshOAuth2ServiceImpl.java#L434 https://github.com/gentics/mesh/blob/f85dac8bf954248a6556323d792e6b849fb1d593/services/keycloak-auth/src/main/java/com/gentics/mesh/auth/MeshOAuth2ServiceImpl.java#L434
If I'm not mistaken, the implementation [MeshOAuth2ServiceImpl] can be changed to support any OIDC.如果我没记错的话,实现 [MeshOAuth2ServiceImpl] 可以更改为支持任何 OIDC。
2 个解决方案
解决方案1
1 已采纳 2019-09-01 19:19:11
The authentication mechanism has been recently updated.身份验证机制最近已更新。
Gentics Mesh will now take the role as a resource server. Gentics Mesh 现在将扮演资源服务器的角色。 It can accept any JWT as long as the public key from the OAuth server has been added.只要添加了来自 OAuth 服务器的公钥,它就可以接受任何 JWT。
The plugin API has been updated to provide support for custom mappings between oauth user and mesh.插件 API 已更新,以支持 oauth 用户和网格之间的自定义映射。 This allows you for example to map multiple oauth2 users to one mesh user which contains the needed roles/groups.例如,这允许您将多个 oauth2 用户映射到一个包含所需角色/组的网格用户。 You can also create a 1:1 mapping in which every oauth2 user will be added to Mesh.您还可以创建一个 1:1 映射,其中每个 oauth2 用户都将添加到 Mesh。
The public keys of the OAuth server can be loaded via plugin API or hardcoded in a public-keys.json file. OAuth 服务器的公钥可以通过插件 API 加载或硬编码在public-keys.json文件中。
You can read more on this topic here: https://getmesh.io/docs/authentication/#_oauth2_oidc您可以在此处阅读有关此主题的更多信息: https : //getmesh.io/docs/authentication/#_oauth2_oidc
解决方案2
0 2019-09-01 16:08:32
According to the Genetics Mesh docs, OAuth2 is supported out of the box .根据 Genetics Mesh 文档, OAuth2 是开箱即用的。 I'd use the OpenID Connect features in Okta to get the JWT and use that within Genetics Mesh.我会使用 Okta 中的 OpenID Connect 功能来获取 JWT 并在 Genetics Mesh 中使用它。
There's a configuration example on using OIDC with KeyCloak, but you can substitute your Okta endpoints for the provided KeyCloak endpoints.有一个将 OIDC 与 KeyCloak 结合使用的配置示例,但您可以将 Okta 端点替换为提供的 KeyCloak 端点。
security:
oauth2:
enabled: true
config:
realm: "master"
authServerUrl: "http://localhost:3000/auth" # Okta endpoint here
sslRequired: "external"
resource: "mesh"
credentials:
secret: "9b65c378-5b4c-4e25-b5a1-a53a381b5fb4" # application secret here
confidentialPort: 0
Also according to the docs, if you need roles mappings, you'll have to create an AuthServicePlugin .同样根据文档,如果您需要角色映射,则必须创建一个AuthServicePlugin 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.