Custom authentication for headless APICustom authentication for headless APIhttps://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1200657912026-05-10T16:30:20Z2026-05-10T16:30:20ZRE: Custom authentication for headless APIFabian Bouchéhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1204214012020-11-09T08:26:06Z2020-11-09T08:26:06Z<p>Hi Andrej,</p>
<p>I've achieved what you're looking at. You can check a sample project
over here: <a href="https://github.com/fabian-bouche-liferay/external-oauth">https://github.com/fabian-bouche-liferay/external-oauth</a></p>
<p>I've also talked to Carlos and I agree that RFC 8693 would be an
easier solution to address this same requirement.</p>
<p>Whatever the path, bear in mind that the biggest effort when dealing
with maintenance is going to keep the scopes synchronized between
Liferay and your authorization server to manage the permissions given
to clients on the liferay headless CMS objects.</p>
<p>If you were to use my current solution, please get back to me if you
have any feedback. I'm not using in a real project yet.</p>
<p>Kind regards,</p>
<p>Fabian</p>Fabian Bouché2020-11-09T08:26:06ZRE: Custom authentication for headless APICarlos Sierrahttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1204077212020-11-06T14:32:54Z2020-11-06T14:32:54Z<p>Hi Andrej,</p>
<p>as Jack points out, the best way to do this is registering your own
AuthVerifier to process and validate the incoming JWT token.</p>
<p>There are a lot of different ways to process a JWT token and they can
bear a lot of different information, not to mention encryption or
signatures, that's the main reason you need to register a
customization for this.</p>
<p>We are tracking this <a
href="https://tools.ietf.org/html/rfc8693">proposed standard</a> in
our backlog to provide a more standard way of processing JWT in the
future. Although it is possible that still some customizations would
need to be applied we should expect a more straightforward integration
with the OAuth2 layer.</p>
<p>Hope this helps.</p>
<p>Carlos.</p>Carlos Sierra2020-11-06T14:32:54ZRE: Custom authentication for headless APIJack Bakkerhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1200736982020-10-09T13:15:05Z2020-10-09T13:15:05ZI need this too, and still need to devote time to try coding for it, perhaps with an AuthVerifier. I currently have an API gateway (Krakend) in front of Liferay which does the JWT validation against Keycloak. Jack Bakker2020-10-09T13:15:05ZCustom authentication for headless APIAndrej Gregorkahttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1200657902020-11-09T17:25:06Z2020-10-08T15:06:05ZHow can I write a custom authentication plugin for headless API avaiable on /o/headless-delivery/..<br />
According to documentation (<a href="https://help.liferay.com/hc/en-us/articles/360039026192-Making-Authenticated-Requests">https://help.liferay.com/hc/en-us/articles/360039026192-Making-Authenticated-Requests</a>
), its only possible to use Basic Auth, Oauth2, cookies.<br />
I would like to login using external JWT token from Keycloak using
openidconnect protocol. I can set up Keycloak login on portal itself but
I see no way of using that for headless API.<br />
I tried creating AutoLogin plugin, where I would validate the JWT token
provided in header, but I see that it does not even trigger when
accessing /o/headless-delivery/.. URL.How can I enable that or what is
the correct way to enable custom authentication for headless API. <br />
Without being able to do this we can't use Liferay as CMS for our solution.Andrej Gregorka2020-10-08T15:06:05Z