Hi Zsigmond,

Our IDP is Keycloak and it's based on OAuth 2.0 

We want to setup Liferay as a service provider and for the users, we provide an SSO experience. When user login to any of our apps, we'll not ask them to log in again in the Liferay, and Keycloak will serve as the IDP server and it's OAuth 2.0 based.

I've found configs for SAML, OpenID, NTML, etc but not for OAuth 2.0

Regards,
 

Hi Vishnu,

Without knowing more details, for example, how your Keycloak is configured, I think the way how you can go is to configure the Keycloak as an OpenId Connect SSO provider for the portal and configure the apps for OAuth2 withing the portal according to this doc: https://help.liferay.com/hc/en-us/articles/360018176491-OAuth-2-0

Have you seen that doc already?

Zsigmond

Hi Zsigmond,

 Thanks for your answer. Just one more question. Suppose if I configure a Liferay instance as an OAuth 2.0 based IDP as given in this link, how do I configure another Liferay instance for SSO. 

Regards,

Hi Vishnu,

Do you mean that then a portal would be the IdP and not the Keycloak?

A Liferay portal instance can be configured as an IdP in SAML.

If you mean that how to configure the Keycloak to the portal, I think that should be registered az an OpenId Connect provider.

If you elaborate more the environment you want to setup at the end, I may give more precise help.

Regards,

Zsigmond

Hi Zsigmond,

Yes, I mean that the portal would be the IDP but not in SAML, I can configure Liferay as an OAuth 2.0 based IDP

In the Liferay documentation, it says how to configure Liferay as an OAuth 2.0 based IDP right. But it's missing any details regarding configuration to setup Liferay as a Service provider of this IDP for SSO. 

In the case of SAML, the documentation explains how to configure Liferay as an IDP and SP but for OAuth 2.0 it doesn't say anything about setting up Liferay as a service provider against the portal IDP.

My final goal is that I need an Oauth 2.0 based SSO, so that when a user login to the Liferay IDP, that users will be  automatically logged in on the other Liferay instance which will be the service provider,

Regards,
 

Hi Vishnu,

Ok. Having an SSO or an IdP is a completely separated layer from OAuth2 authorization.

You can configure applications that can use OAuth2 for authorization within the portal and then the portal will to the authorization process for them. Only configuring this, the default portal login mechanism is used before checking that if the user with the given credentail can be authorized for the specific, registered app.

If you want to use different SSO or IdP from the default portal login mechanism, you need to set up as an SSO or a SAML IdP for the portal.

A Liferay portal instance cannot be an SSO, a portal only can be set up as a SAML IdP.

I hope it helps.

Regards,

Zsigmond

Hi Vishnu,

Sorry, somehow I missed the notification of your reply and this discussion has come to my mind just now again.

I feel that we have some unclarified terminology differences here. I'm trying to write down mine and you can say if it doesn't fit yours in any way.

The link in your previous comment is about how registering an app for OAurh2. Without any further configuration step, that is only abut authorization to that registered app. Once clients want to access that app, they must authenticate themselves also.

This is where the IdP concept comes into the picture which means basically SAML IdP concept to me within the portal. Currently, that's the way how the portal can be an IdP also beside being an authorization server also for the registered app.

However, I'm not a big expert in that, the Keycloak can be configured as an OpenId Connect provider for the portal instead, which means configuring the Keycloak for the portal as an SSO.

You want to go for this latter configuration, right?

Unfortunately I don't have experience with that, but you can find documents that can help, for example this one: https://help.liferay.com/hc/en-us/articles/360024805271-Authenticating-with-OpenID-Connect

Is this help?

Am I still wrong with my understanding anyhow?

Regards

Hi Vishnu,

If the doc the I shared in my prev post didn't help, you can take a look at the https://learn.liferay.com/dxp/latest/en/headless-delivery/using_oauth2.html one also. That is even better as that is the latest documentation.

Regards,

OAuth SdP

Liferay DXP can act as an OAuth service provider (OAuth 2.0 Provider). This means that external applications can obtain access tokens from Liferay after authenticating themselves using client IDs and secrets issued by Liferay. These access tokens can then be used to access protected resources within Liferay's ecosystem (e.g., Liferay APIs). 

OAuth IdP

if you want to access OAuth as a IdP, you should have additional layer like OpenID
OpenID Connect is a layer built on top of OAuth 2.0 that adds user authentication capabilities to the protocol. It allows OAuth clients to verify the identity of the user and obtain user information (e.g., name, email) in a standardized way.