Message Boards
Custom authentication for headless API
Custom authentication for headless API
New Member Post: 1 Join Date: 10/8/20 Recent PostsAccording to documentation (https://help.liferay.com/hc/en-us/articles/360039026192-Making-Authenticated-Requests ), its only possible to use Basic Auth, Oauth2, cookies.
I would like to login using external JWT token from Keycloak using openidconnect protocol. I can set up Keycloak login on portal itself but I see no way of using that for headless API.
I tried creating AutoLogin plugin, where I would validate the JWT token provided in header, but I see that it does not even trigger when accessing /o/headless-delivery/.. URL.How can I enable that or what is the correct way to enable custom authentication for headless API.
Without being able to do this we can't use Liferay as CMS for our solution.
RE: Custom authentication for headless API
Liferay Master Posts: 978 Join Date: 1/3/10 Recent PostsRE: Custom authentication for headless API
Junior Member Posts: 32 Join Date: 5/21/13 Recent PostsHi Andrej,
as Jack points out, the best way to do this is registering your own AuthVerifier to process and validate the incoming JWT token.
There are a lot of different ways to process a JWT token and they can bear a lot of different information, not to mention encryption or signatures, that's the main reason you need to register a customization for this.
We are tracking this proposed standard in our backlog to provide a more standard way of processing JWT in the future. Although it is possible that still some customizations would need to be applied we should expect a more straightforward integration with the OAuth2 layer.
Hope this helps.
Carlos.
RE: Custom authentication for headless API
New Member Posts: 4 Join Date: 4/19/20 Recent PostsHi Andrej,
I've achieved what you're looking at. You can check a sample project over here: https://github.com/fabian-bouche-liferay/external-oauth
I've also talked to Carlos and I agree that RFC 8693 would be an easier solution to address this same requirement.
Whatever the path, bear in mind that the biggest effort when dealing with maintenance is going to keep the scopes synchronized between Liferay and your authorization server to manage the permissions given to clients on the liferay headless CMS objects.
If you were to use my current solution, please get back to me if you have any feedback. I'm not using in a real project yet.
Kind regards,
Fabian