stackoom
  简体   繁体   中英

How would I implement Okta Authentication in Gentics Mesh?

 原文  2019-09-01 16:01:46       okta/ okta-api/ gentics-mesh

Question

Gentics Mesh comes with support for Keycloak built-in, but I'd like to use Okta instead.

What's best practice?

Would it require modifying Mesh source code?

Or maybe I should handle authentication in a middleware layer?

Or could I implement the AuthServicePlugin to validate a token from Okta?
https://github.com/gentics/mesh/blob/dev/plugin-api/src/main/java/com/gentics/mesh/plugin/auth/AuthServicePlugin.java


I've tried using my Okta server in the mesh.yml config, but an exception is thrown.
This is the OIDC url for my Okta service -
https://{yourOktaDomain}/oauth2/v1/authorize

Unfortunately, the OAuth2 implementation seems to be Keycloak specific -

com.gentics.mesh.core.rest.error.GenericRestException: 500 Internal Server Error oauth_config_error at com.gentics.mesh.core.rest.error.Errors.error(Errors.java:124) ... Caused by: java.lang.RuntimeException: Error while loading realm info. Got code {404} at com.gentics.mesh.auth.MeshOAuth2ServiceImpl.fetchPublicRealmInfo(MeshOAuth2ServiceImpl.java:451)

It looks like it's piecing together a url that won't work for Okta.
https://github.com/gentics/mesh/blob/f85dac8bf954248a6556323d792e6b849fb1d593/services/keycloak-auth/src/main/java/com/gentics/mesh/auth/MeshOAuth2ServiceImpl.java#L434

If I'm not mistaken, the implementation [MeshOAuth2ServiceImpl] can be changed to support any OIDC.

2 answers

solution1
 1 ACCPTED  2019-09-01 19:19:11

The authentication mechanism has been recently updated.

Gentics Mesh will now take the role as a resource server. It can accept any JWT as long as the public key from the OAuth server has been added.

The plugin API has been updated to provide support for custom mappings between oauth user and mesh. This allows you for example to map multiple oauth2 users to one mesh user which contains the needed roles/groups. You can also create a 1:1 mapping in which every oauth2 user will be added to Mesh.

The public keys of the OAuth server can be loaded via plugin API or hardcoded in a public-keys.json file.

You can read more on this topic here: https://getmesh.io/docs/authentication/#_oauth2_oidc

solution2
 0  2019-09-01 16:08:32

According to the Genetics Mesh docs, OAuth2 is supported out of the box . I'd use the OpenID Connect features in Okta to get the JWT and use that within Genetics Mesh.

There's a configuration example on using OIDC with KeyCloak, but you can substitute your Okta endpoints for the provided KeyCloak endpoints.

security:
  oauth2:
    enabled: true
    config:
      realm: "master"
      authServerUrl: "http://localhost:3000/auth" # Okta endpoint here
      sslRequired: "external"
      resource: "mesh"
      credentials:
        secret: "9b65c378-5b4c-4e25-b5a1-a53a381b5fb4" # application secret here
      confidentialPort: 0

Also according to the docs, if you need roles mappings, you'll have to create an AuthServicePlugin .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I login to okta without redirecting to the okta website for authentication? Algorithm not supported - OAuth in Gentics Mesh Implement Okta authentication from Web Api How to use Firebase Authentication with Okta? How to do grafana authentication with Nginx and Okta How to create authentication server OKTA with my database? How to implement Auth Code Flow with Okta How to implement single logout using okta as IDP? Okta authentication, how to use the response.params? How do I get a StateToken for basic Authentication through Okta with .net sdk?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM