[MGNLSSO-35] Allow Magnolia to be used as pac4j middle-man in PUR scenarios Created: 27/Jul/20  Updated: 25/Jan/24  Resolved: 16/Mar/21

Status: Closed
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Maxime Michel Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLSSO-20 Decouple the module from Keycloak tha... Closed
causality
caused by MGNLSSO-23 Only run SSO authentication on select... Closed
dependency
depends upon MGNLSSO-32 Further securityCallback research Accepted
duplicate
is duplicated by MGNLSSO-86 Add Support for Authorisation of Web ... Open
is duplicated by MGNLSSO-277 Support SSO for specific domains Open
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   

Although pac4j's APIs helped a lot in order to lower the code complexity of logging a user into Admincentral using Keycloak as an identity provider, the module still could do more.

One common scenario is a user logging into an area of a public website through Facebook, Twitter, GitHub, etc. SSO authentication.

A back-end server is needed in those cases because without it, the front-end application would need to store the application ID and secret in the front-end code directly, which is unsafe, as it can be read easily.

Luckily, Magnolia and pac4j can chime in. pac4j ships a ton of pre-configured clients: http://www.pac4j.org/docs/clients/oauth.html

What we would need to do would be to provide configurable endpoints, such as the following simple project does: https://github.com/jooby-project/pac4j-starter

This has little to do with the current use case the module is solving. Magnolia components such as the login and logout filters, the UserManager, the ExternalUser, etc. can be left out from such a scenario.

I therefore suggest to split the module into two or three distinct submodules:

  • one for Admincentral login with Keycloak for our cloud
  • one for easy front-end integrations for customers
  • one for common components


 Comments   
Comment by Maxime Michel [ 16/Mar/21 ]

We ended up deciding to not cover this use case in this module.

Comment by Mikaël Geljić [ 25/Jan/24 ]

tracking this story as MGNLSSO-86 moving forward.

Generated at Mon Feb 12 10:50:29 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.