Alfresco discussion and collaboration. Stick around a few hours after asking a question.
Official support for Enterprise subscribers: support.alfresco.com.
Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.
More information about the channel is in the wiki.
More help is available in this list of resources.
2019-06-13 10:47:13 GMT <AFaust> angelborroy: Do you have any (still valid) links to ADF / ACA documentation regarding OpenID / Keycloak setup with ACS? I only find some APS stuff or release notes with outdated links
2019-06-13 10:48:13 GMT <angelborroy> let me see if I can find it
2019-06-13 10:48:26 GMT <AFaust> Found something on the builder network.... https://www.alfresco.com/abn/adf/docs/core/components/login.component/#single-sign-on-sso
2019-06-13 10:48:46 GMT <AFaust> Why the heck would some global configuration be documented only on the low-level UI component...
2019-06-13 10:51:09 GMT <angelborroy> https://alfresco-content-app.netlify.com/#/getting-started/sso
2019-06-13 10:51:10 GMT <alfbot> Title:Alfresco Content App (at alfresco-content-app.netlify.com)
2019-06-13 10:52:30 GMT <angelborroy> It’s more or less the same you found
2019-06-13 10:56:25 GMT <AFaust> Of course what is missing are any details on the Keycloak side of things, so its the same old "use AIS or die" approach...
2019-06-13 11:02:53 GMT <alfresco-discord> <dgradecak> would it be possible to use "AIS" with AOS especially with kerberos? any one tried it?
2019-06-13 11:03:54 GMT <angelborroy> I don’t think that Kerberos is supported
2019-06-13 11:06:04 GMT <alfresco-discord> <dgradecak> keycloack supports kerberos, but what exactly it does I have no clue
2019-06-13 11:06:24 GMT <angelborroy> I mean, supported by ADF / ACA / ADW
2019-06-13 11:06:44 GMT <alfresco-discord> <dgradecak> and of course the question is what alfresco supports, so if it does not it is an answer 😉
2019-06-13 11:08:36 GMT <alfresco-discord> <dgradecak> regarding ADF, it is completely apache v2 licensed? Even the componenets using "enterprise" endpoints right?
2019-06-13 11:08:49 GMT <angelborroy> yes
2019-06-13 11:08:58 GMT <alfresco-discord> <dgradecak> that is what I understoond from @Francesco Corti
2019-06-13 11:11:18 GMT <alfresco-discord> <dgradecak> I made a quick "experiment" using ADF proces services with the activiti concurrent, where I built a spring boot "adapter app" and my spring cloud feing library (not sure if I should say that)
2019-06-13 11:13:23 GMT <alfresco-discord> <dgradecak> btw, did you guys ever used samba AD with kerberos and alfresco?
2019-06-13 11:14:15 GMT <alfresco-discord> <dgradecak> I have an enterprise client wanting to do that but have no idea about samba ad and kerberos
2019-06-13 11:14:37 GMT <alfresco-discord> <dgradecak> do you know angel of anyone doing that with enterprise? or better not even try?
2019-06-13 11:25:43 GMT <angelborroy> Again, I don’t think that is supported
2019-06-13 11:25:50 GMT <angelborroy> For sure, it hasn’t be tested
2019-06-13 11:28:43 GMT <alfresco-discord> <Francesco Corti> Samba AD and Kerberos is not part of any pipeline or supported user story explicitly described.
2019-06-13 11:29:12 GMT <alfresco-discord> <Francesco Corti> Kerberos works with ADF (several installations I’m aware of)
2019-06-13 11:29:53 GMT <alfresco-discord> <Francesco Corti> Samba Ad.... don’t know honestly
2019-06-13 11:39:41 GMT <alfresco-discord> <dgradecak> bad news for them 😉 thank you FC
2019-06-13 12:19:49 GMT <AFaust> Is it normal for ACA to try and get a login ticket when I have configured OAUTH authentication?
2019-06-13 12:20:16 GMT <AFaust> I mean, "normal" in relation to whatever floats as normal with ADF / web dev these days...
2019-06-13 12:20:58 GMT <alfresco-discord> <dgradecak> I just erased what I wrote in regards to the "normal" comment
2019-06-13 12:21:13 GMT <alfresco-discord> <dgradecak> but you said it instead of me
2019-06-13 12:27:25 GMT <AFaust> I mean, I don't see in the (marginal) documentation what I should configure to disable that behaviour... I also don't see an explanation for 2 of the 3 redirectUri config parameters, so have just set them to something that made sense to me, but results in some weird redirect on logout...
2019-06-13 12:29:10 GMT <alfresco-discord> <dgradecak> honestly, I stoped trying for now with ACA and ADF. when I started I saw the documentation and was pretty amazed but I did not know much about Angular. Once I digged into Angular, ADF/ACA is just a nightmare to me right now. I hope it will become something different soon
2019-06-13 12:29:38 GMT <alfresco-discord> <dgradecak> I still digged into creating an ADF process app yesterday for my POC with flowable and ADF
2019-06-13 12:29:41 GMT <AFaust> It won't...
2019-06-13 12:30:03 GMT <alfresco-discord> <dgradecak> and what has been generated always triggered twice the same ajax request
2019-06-13 12:30:20 GMT <alfresco-discord> <dgradecak> fixable indeed but still ...
2019-06-13 12:30:34 GMT <AFaust> I just need it right now to show off the keycloak integration as a demo before I get the go-ahead for integrating keycloak with Share
2019-06-13 12:30:57 GMT <alfresco-discord> <dgradecak> well I made that integration, was working as far as I remember
2019-06-13 12:31:22 GMT <alfresco-discord> <dgradecak> but I did not use docker etc, was my own keycloack setup
2019-06-13 12:31:23 GMT <AFaust> You did it with a proxy-based solution, right?
2019-06-13 12:31:37 GMT <alfresco-discord> <Francesco Corti> @dgradecak interesting feedback about the double ajax calls. Would be nice if you raise a bug or something to help solving it (if confirmed asa an issue).
2019-06-13 12:31:57 GMT <AFaust> I have seen a couple of these around. I am interested more in a real integration with Share without any proxy shenanigans
2019-06-13 12:32:21 GMT <alfresco-discord> <dgradecak> well I did not touch share, just the repo and ACA with keycloack
2019-06-13 12:32:38 GMT <alfresco-discord> <dgradecak> no proxy ... what you mean exactly by proxy ?
2019-06-13 12:33:12 GMT <alfresco-discord> <dgradecak> I used to configure SAML through apache and external auth on alfresco, if that is what you mean
2019-06-13 12:35:03 GMT <alfresco-discord> <dgradecak> @Francesco Corti I will once I come back to ADF, will recheck it once the "next" extensions are done, seems it is postponed
2019-06-13 12:35:55 GMT <AFaust> Exactly, that is what I meant. I don't want any dependency on what type of front-facing web server is used.
2019-06-13 12:36:25 GMT <AFaust> Some of my customers have F5, some (may) use nginx (luckily none so far), others (most) use Apache
2019-06-13 12:36:30 GMT <alfresco-discord> <dgradecak> well I write quite a lot of spring boot apps with keycloack integration, should be doable in share I guess
2019-06-13 12:37:20 GMT <AFaust> Sure it is doable. I just have to show a basic demo of the keycloak integration with Azure AD in this customers test environment first, before I can do that (and bill the hours)
2019-06-13 12:38:00 GMT <alfresco-discord> <dgradecak> so why ADF/ACA?
2019-06-13 12:39:11 GMT <AFaust> Because that is the only app with a decent UI in that customer's test environment that provides keycloak integration out-of-the-box (with ACS 6 in the background)
2019-06-13 12:39:38 GMT <AFaust> We don't use ACA for nothing at this point - only keep it around for any potential demo needs...
2019-06-13 12:40:00 GMT <AFaust> Great... I sound like an American hillbilly with the double negation...
2019-06-13 12:40:31 GMT <alfresco-discord> <dgradecak> hehe, I had a tripple negation to my son this morning ...
2019-06-13 12:41:04 GMT <AFaust> Hah... great. Just realised the ACA entrypoint.sh can fail to process env parameters and ignore the error code - you'll just randomly see some redirects using the wrong URL...
2019-06-13 12:41:44 GMT <alfresco-discord> <dgradecak> aha you are using the docker image also?
2019-06-13 12:41:58 GMT <alfresco-discord> <dgradecak> I usually just run "npm start"
2019-06-13 12:46:04 GMT <AFaust> Well, npm still has a lifelong ban on my (bare machine) environments...
2019-06-13 12:51:55 GMT <alfresco-discord> <dgradecak> I heard, people are talking 😉
2019-06-13 12:58:14 GMT <AFaust> Ok - with regard to the ticket request, it looks like that is by design deep in the alfresco-js-api, which wants to exchange the OAUTH token with the a ticket.
2019-06-13 12:58:42 GMT <AFaust> I guess I'll just have to live with that stray HTTP 400 error and the garbage it puts in my console...
2019-06-13 12:59:30 GMT <AFaust> Looks like an issue with the ACS 6.0.7 GA Public v1 ReST API that can deal with the OAUTH token for all other requests apart from the ticket one...
2019-06-13 13:15:27 GMT <AFaust> dgradecak: Do you know if one can configure multiple trust store providers in Keycloak? All documentation I found so far only ever talks of one custom store.
2019-06-13 13:16:19 GMT <AFaust> Might have to copy cacert store otherwise, just to add my single Azure AD cert as trusted if I can't make default cacert also be used in addition to my current custom trust store.
2019-06-13 13:27:21 GMT <alfresco-discord> <dgradecak> hm ... unfortunately I do not know that
2019-06-13 13:31:17 GMT <AFaust> Tried by just providing a second provider - no change to my problem. Last week, Keycloak auth via Azure OpenID worked fine, now there is some SSL handshake issue, and I still have not figured out with which cert...
2019-06-13 13:33:10 GMT <alfresco-discord> <dgradecak> but you imported all the keys in jvm keystore?
2019-06-13 13:37:32 GMT <AFaust> My custom cert for my Azure AD LDAPS is in a custom keystore - and apparently that still works as periodic synch ran just a while ago.
2019-06-13 13:39:05 GMT <AFaust> I modified keyclaok standalone-ha.xml to reference my custom keystore for LDAPS. That worked last week, still with OpenID. 10 minutes ago I also added the default cacerts keystore as a second truststore provide in the standalone-ha.xml of Keycloak
2019-06-13 13:39:46 GMT <AFaust> That should contain all the relevant CAs used by Microsoft to issue their certs for their OpenID API
2019-06-13 13:40:22 GMT <AFaust> Currently trying to figure out how I can pass a JVM parameter to Keycloak (without doing any more customisations to the base image)
2019-06-13 13:40:30 GMT <alfresco-discord> <dgradecak> I did not check my azure stuff for a while and just wnt to create an app key and read this :
2019-06-13 13:40:55 GMT <alfresco-discord> <dgradecak> "We will no longer support registering and managing converged and Azure AD applications here starting May 2019" but seems all the configured stuff are there
2019-06-13 13:42:28 GMT <AFaust> Ah, you are looking at the "app registrations (legacy)" section
2019-06-13 13:42:56 GMT <AFaust> I already set up my stuff using the new section without "(legacy)" suffix
2019-06-13 13:43:31 GMT <alfresco-discord> <dgradecak> than that is not it;) yes I was looking at the legacy
2019-06-13 13:43:46 GMT <alfresco-discord> <dgradecak> maybe your key changed or so ... no idea like this
2019-06-13 13:44:23 GMT <AFaust> Well, the error is very specifically about the SSL handshake, so I am focussing on that.
2019-06-13 13:47:11 GMT <alfresco-discord> <dgradecak> not sure if some command line tools could be use to test that with Azure
2019-06-13 13:47:33 GMT <alfresco-discord> <dgradecak> but that is what I usally do on AD installations and ldaps
2019-06-13 13:52:02 GMT <alfresco-discord> <dgradecak> I hope the key did not expire btw 😉
2019-06-13 13:52:49 GMT <AFaust> Ok - rebuilt the Docker image and injected -Djavax.net.debug=all into JVM parameters. So technically, you can have multiple truststore providers, but there is no failover / fallback handling in Keycloak. The truststore you configure must have everything - default CAs + any custom certs.
2019-06-13 13:53:05 GMT <AFaust> And it was indeed a default Microsoft cert that failed to validate.
2019-06-13 13:53:23 GMT <AFaust> The error was just thrown up the callstack without fallback to second truststore.
2019-06-13 13:54:04 GMT <AFaust> Right, going to have to script a "copy cacert + merge with my certs" automation then.
2019-06-13 13:55:49 GMT <alfresco-discord> <dgradecak> if it is just for testing purposes, why not change keycloack's config to use only your keystore ?
2019-06-13 13:57:55 GMT <AFaust> That is what I intend. I just have to merge cacert into my keystore.
2019-06-13 13:58:47 GMT <alfresco-discord> <dgradecak> in the entry script just keytool -importkeystore with source and dest might do it
2019-06-13 13:58:56 GMT <AFaust> And since that is going to be the basis for all future work (and I may have to add additional custom certs, e.g. for customer's Azure), I'll try to automate it right away.
2019-06-13 13:58:58 GMT <alfresco-discord> <dgradecak> let me know so I will remember this one
2019-06-13 14:00:31 GMT <AFaust> Hmm... wondering. Since this is an isolated Docker container, it would actually not hurt too bad to merge my keystore (mounted as read-only) into cacerts, than the other way around (which would not work due to read-only-ness)
2019-06-13 14:07:05 GMT <alfresco-discord> <dgradecak> should be fine I guess
The other logs are at http://esplins.org/hash_alfresco