Message Boards
Liferay 7.0 and OAuth 2.0 SSO
Liferay 7.0 and OAuth 2.0 SSO
Regular Member Posts: 131 Join Date: 7/28/17 Recent PostsWe have an OAuth 2.0 identity provider and we need to authenticate users in our Liferay 7.0 using this IDP. I Can't figure out where to add the Liferay configurations to set up an OAuth 2.0 IDP for SSO.
RE: Liferay 7.0 and OAuth 2.0 SSO
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Vishnu,
Actually, OAuth 2 itself is not an IdP. That gives the authorization protocol and beside that there may be an IdP. What is thatn IdP exactly? Could you please clarify more your env you want to configure?
Thanks,
Zsigmond
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Regular Member Posts: 131 Join Date: 7/28/17 Recent PostsHi Zsigmond,
Our IDP is Keycloak and it's based on OAuth 2.0
We want to setup Liferay as a service provider and for the
users, we provide an SSO experience. When user login to any of our
apps, we'll not ask them to log in again in the Liferay, and Keycloak
will serve as the IDP server and it's OAuth 2.0 based.
I've found configs for SAML, OpenID, NTML, etc but not for OAuth 2.0
Regards,
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Vishnu,
Without knowing more details, for example, how your Keycloak is configured, I think the way how you can go is to configure the Keycloak as an OpenId Connect SSO provider for the portal and configure the apps for OAuth2 withing the portal according to this doc: https://help.liferay.com/hc/en-us/articles/360018176491-OAuth-2-0
Have you seen that doc already?
Zsigmond
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Regular Member Posts: 131 Join Date: 7/28/17 Recent PostsHi Zsigmond,
Thanks for your answer. Just one more question. Suppose if I
configure a Liferay instance as an OAuth 2.0 based IDP as given in
this link,
how do I configure another Liferay instance for SSO.
Regards,
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Vishnu,
Do you mean that then a portal would be the IdP and not the Keycloak?
A Liferay portal instance can be configured as an IdP in SAML.
If you mean that how to configure the Keycloak to the portal, I think that should be registered az an OpenId Connect provider.
If you elaborate more the environment you want to setup at the end, I may give more precise help.
Regards,
Zsigmond
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Regular Member Posts: 131 Join Date: 7/28/17 Recent PostsHi Zsigmond,
Yes, I mean that the portal would be the IDP but not in SAML, I
can configure Liferay as an OAuth 2.0 based IDP
In the Liferay documentation, it says how
to configure Liferay as an OAuth 2.0 based IDP right. But it's
missing any details regarding configuration to setup Liferay as a
Service provider of this IDP for SSO.
In the case of SAML, the documentation explains how to configure
Liferay as an IDP and SP but for OAuth 2.0 it doesn't say anything
about setting up Liferay as a service provider against the portal IDP.
My final goal is that I need an Oauth 2.0 based
SSO, so that when a user login to the Liferay IDP, that users
will be automatically logged in on the other Liferay instance which
will be the service provider,
Regards,
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Vishnu,
Ok. Having an SSO or an IdP is a completely separated layer from OAuth2 authorization.
You can configure applications that can use OAuth2 for authorization within the portal and then the portal will to the authorization process for them. Only configuring this, the default portal login mechanism is used before checking that if the user with the given credentail can be authorized for the specific, registered app.
If you want to use different SSO or IdP from the default portal login mechanism, you need to set up as an SSO or a SAML IdP for the portal.
A Liferay portal instance cannot be an SSO, a portal only can be set up as a SAML IdP.
I hope it helps.
Regards,
Zsigmond
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Vishnu,
Sorry, somehow I missed the notification of your reply and this discussion has come to my mind just now again.
I feel that we have some unclarified terminology differences here. I'm trying to write down mine and you can say if it doesn't fit yours in any way.
The link in your previous comment is about how registering an app for OAurh2. Without any further configuration step, that is only abut authorization to that registered app. Once clients want to access that app, they must authenticate themselves also.
This is where the IdP concept comes into the picture which means basically SAML IdP concept to me within the portal. Currently, that's the way how the portal can be an IdP also beside being an authorization server also for the registered app.
However, I'm not a big expert in that, the Keycloak can be configured as an OpenId Connect provider for the portal instead, which means configuring the Keycloak for the portal as an SSO.
You want to go for this latter configuration, right?
Unfortunately I don't have experience with that, but you can find documents that can help, for example this one: https://help.liferay.com/hc/en-us/articles/360024805271-Authenticating-with-OpenID-Connect
Is this help?
Am I still wrong with my understanding anyhow?
Regards
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
Liferay Master Posts: 728 Join Date: 1/5/10 Recent PostsHi Vishnu,
If the doc the I shared in my prev post didn't help, you can take a look at the https://learn.liferay.com/dxp/latest/en/headless-delivery/using_oauth2.html one also. That is even better as that is the latest documentation.
Regards,
RE: RE: Liferay 7.0 and OAuth 2.0 SSO
New Member Post: 1 Join Date: 4/6/23 Recent PostsOAuth SdP
Liferay DXP can act as an OAuth service provider (OAuth 2.0 Provider). This means that external applications can obtain access tokens from Liferay after authenticating themselves using client IDs and secrets issued by Liferay. These access tokens can then be used to access protected resources within Liferay's ecosystem (e.g., Liferay APIs).
OAuth IdP
if you want to access OAuth as a IdP, you should have additional
layer like OpenID
OpenID Connect is a layer built on top of OAuth
2.0 that adds user authentication capabilities to the protocol. It
allows OAuth clients to verify the identity of the user and obtain
user information (e.g., name, email) in a standardized way.