Message Boards

  1. Home
  2. Development
  3. Custom authentication for headless API

Custom authentication for headless API

Andrej Gregorka, modified 3 Years ago.

Custom authentication for headless API

New Member Post: 1 Join Date: 10/8/20 Recent Posts
How can I write a custom authentication plugin for headless API avaiable on /o/headless-delivery/..
According to documentation (https://help.liferay.com/hc/en-us/articles/360039026192-Making-Authenticated-Requests ), its only possible to use Basic Auth, Oauth2, cookies.
I would like to login using external JWT token from Keycloak using openidconnect protocol. I can set up Keycloak login on portal itself but I see no way of using that for headless API.
I tried creating AutoLogin plugin, where I would validate the JWT token provided in header, but I see that it does not even trigger when accessing /o/headless-delivery/.. URL.How can I enable that or what is the correct way to enable custom authentication for headless API. 
Without being able to do this we can't use Liferay as CMS for our solution.
application security delivery api
thumbnail
Jack Bakker, modified 3 Years ago.

RE: Custom authentication for headless API

Liferay Master Posts: 978 Join Date: 1/3/10 Recent Posts
I need this too, and still need to devote time to try coding for it, perhaps with an AuthVerifier. I currently have an API gateway (Krakend) in front of Liferay which does the JWT validation against Keycloak. 
thumbnail
Carlos Sierra, modified 3 Years ago.

RE: Custom authentication for headless API

Junior Member Posts: 32 Join Date: 5/21/13 Recent Posts

Hi Andrej,

as Jack points out, the best way to do this is registering your own AuthVerifier to process and validate the incoming JWT token.

There are a lot of different ways to process a JWT token and they can bear a lot of different information, not to mention encryption or signatures, that's the main reason you need to register a customization for this.

We are tracking this proposed standard in our backlog to provide a more standard way of processing JWT in the future. Although it is possible that still some customizations would need to be applied we should expect a more straightforward integration with the OAuth2 layer.

Hope this helps.

Carlos.

thumbnail
Fabian Bouché, modified 3 Years ago.

RE: Custom authentication for headless API

New Member Posts: 4 Join Date: 4/19/20 Recent Posts

Hi Andrej,

I've achieved what you're looking at. You can check a sample project over here: https://github.com/fabian-bouche-liferay/external-oauth

I've also talked to Carlos and I agree that RFC 8693 would be an easier solution to address this same requirement.

Whatever the path, bear in mind that the biggest effort when dealing with maintenance is going to keep the scopes synchronized between Liferay and your authorization server to manage the permissions given to clients on the liferay headless CMS objects.

If you were to use my current solution, please get back to me if you have any feedback. I'm not using in a real project yet.

Kind regards,

Fabian