Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2019-06-13 10:47:13 GMT <AFaust> angelborroy: Do you have any (still valid) links to ADF / ACA documentation regarding OpenID / Keycloak setup with ACS? I only find some APS stuff or release notes with outdated links

2019-06-13 10:48:13 GMT <angelborroy> let me see if I can find it

2019-06-13 10:48:26 GMT <AFaust> Found something on the builder network.... https://www.alfresco.com/abn/adf/docs/core/components/login.component/#single-sign-on-sso

2019-06-13 10:48:46 GMT <AFaust> Why the heck would some global configuration be documented only on the low-level UI component...

2019-06-13 10:51:09 GMT <angelborroy> https://alfresco-content-app.netlify.com/#/getting-started/sso

2019-06-13 10:51:10 GMT <alfbot> Title:Alfresco Content App (at alfresco-content-app.netlify.com)

2019-06-13 10:52:30 GMT <angelborroy> It’s more or less the same you found

2019-06-13 10:56:25 GMT <AFaust> Of course what is missing are any details on the Keycloak side of things, so its the same old "use AIS or die" approach...

2019-06-13 11:02:53 GMT <alfresco-discord> <dgradecak> would it be possible to use "AIS" with AOS especially with kerberos? any one tried it?

2019-06-13 11:03:54 GMT <angelborroy> I don’t think that Kerberos is supported

2019-06-13 11:06:04 GMT <alfresco-discord> <dgradecak> keycloack supports kerberos, but what exactly it does I have no clue

2019-06-13 11:06:24 GMT <angelborroy> I mean, supported by ADF / ACA / ADW

2019-06-13 11:06:44 GMT <alfresco-discord> <dgradecak> and of course the question is what alfresco supports, so if it does not it is an answer 😉

2019-06-13 11:08:36 GMT <alfresco-discord> <dgradecak> regarding ADF, it is completely apache v2 licensed? Even the componenets using "enterprise" endpoints right?

2019-06-13 11:08:49 GMT <angelborroy> yes

2019-06-13 11:08:58 GMT <alfresco-discord> <dgradecak> that is what I understoond from @Francesco Corti

2019-06-13 11:11:18 GMT <alfresco-discord> <dgradecak> I made a quick "experiment" using ADF proces services with the activiti concurrent, where I built a spring boot "adapter app" and my spring cloud feing library (not sure if I should say that)

2019-06-13 11:13:23 GMT <alfresco-discord> <dgradecak> btw, did you guys ever used samba AD with kerberos and alfresco?

2019-06-13 11:14:15 GMT <alfresco-discord> <dgradecak> I have an enterprise client wanting to do that but have no idea about samba ad and kerberos

2019-06-13 11:14:37 GMT <alfresco-discord> <dgradecak> do you know angel of anyone doing that with enterprise? or better not even try?

2019-06-13 11:25:43 GMT <angelborroy> Again, I don’t think that is supported

2019-06-13 11:25:50 GMT <angelborroy> For sure, it hasn’t be tested

2019-06-13 11:28:43 GMT <alfresco-discord> <Francesco Corti> Samba AD and Kerberos is not part of any pipeline or supported user story explicitly described.

2019-06-13 11:29:12 GMT <alfresco-discord> <Francesco Corti> Kerberos works with ADF (several installations I’m aware of)

2019-06-13 11:29:53 GMT <alfresco-discord> <Francesco Corti> Samba Ad.... don’t know honestly

2019-06-13 11:39:41 GMT <alfresco-discord> <dgradecak> bad news for them 😉 thank you FC

2019-06-13 12:19:49 GMT <AFaust> Is it normal for ACA to try and get a login ticket when I have configured OAUTH authentication?

2019-06-13 12:20:16 GMT <AFaust> I mean, "normal" in relation to whatever floats as normal with ADF / web dev these days...

2019-06-13 12:20:58 GMT <alfresco-discord> <dgradecak> I just erased what I wrote in regards to the "normal" comment

2019-06-13 12:21:13 GMT <alfresco-discord> <dgradecak> but you said it instead of me

2019-06-13 12:27:25 GMT <AFaust> I mean, I don't see in the (marginal) documentation what I should configure to disable that behaviour... I also don't see an explanation for 2 of the 3 redirectUri config parameters, so have just set them to something that made sense to me, but results in some weird redirect on logout...

2019-06-13 12:29:10 GMT <alfresco-discord> <dgradecak> honestly, I stoped trying for now with ACA and ADF. when I started I saw the documentation and was pretty amazed but I did not know much about Angular. Once I digged into Angular, ADF/ACA is just a nightmare to me right now. I hope it will become something different soon

2019-06-13 12:29:38 GMT <alfresco-discord> <dgradecak> I still digged into creating an ADF process app yesterday for my POC with flowable and ADF

2019-06-13 12:29:41 GMT <AFaust> It won't...

2019-06-13 12:30:03 GMT <alfresco-discord> <dgradecak> and what has been generated always triggered twice the same ajax request

2019-06-13 12:30:20 GMT <alfresco-discord> <dgradecak> fixable indeed but still ...

2019-06-13 12:30:34 GMT <AFaust> I just need it right now to show off the keycloak integration as a demo before I get the go-ahead for integrating keycloak with Share

2019-06-13 12:30:57 GMT <alfresco-discord> <dgradecak> well I made that integration, was working as far as I remember

2019-06-13 12:31:22 GMT <alfresco-discord> <dgradecak> but I did not use docker etc, was my own keycloack setup

2019-06-13 12:31:23 GMT <AFaust> You did it with a proxy-based solution, right?

2019-06-13 12:31:37 GMT <alfresco-discord> <Francesco Corti> @dgradecak interesting feedback about the double ajax calls. Would be nice if you raise a bug or something to help solving it (if confirmed asa an issue).

2019-06-13 12:31:57 GMT <AFaust> I have seen a couple of these around. I am interested more in a real integration with Share without any proxy shenanigans

2019-06-13 12:32:21 GMT <alfresco-discord> <dgradecak> well I did not touch share, just the repo and ACA with keycloack

2019-06-13 12:32:38 GMT <alfresco-discord> <dgradecak> no proxy ... what you mean exactly by proxy ?

2019-06-13 12:33:12 GMT <alfresco-discord> <dgradecak> I used to configure SAML through apache and external auth on alfresco, if that is what you mean

2019-06-13 12:35:03 GMT <alfresco-discord> <dgradecak> @Francesco Corti I will once I come back to ADF, will recheck it once the "next" extensions are done, seems it is postponed

2019-06-13 12:35:55 GMT <AFaust> Exactly, that is what I meant. I don't want any dependency on what type of front-facing web server is used.

2019-06-13 12:36:25 GMT <AFaust> Some of my customers have F5, some (may) use nginx (luckily none so far), others (most) use Apache

2019-06-13 12:36:30 GMT <alfresco-discord> <dgradecak> well I write quite a lot of spring boot apps with keycloack integration, should be doable in share I guess

2019-06-13 12:37:20 GMT <AFaust> Sure it is doable. I just have to show a basic demo of the keycloak integration with Azure AD in this customers test environment first, before I can do that (and bill the hours)

2019-06-13 12:38:00 GMT <alfresco-discord> <dgradecak> so why ADF/ACA?

2019-06-13 12:39:11 GMT <AFaust> Because that is the only app with a decent UI in that customer's test environment that provides keycloak integration out-of-the-box (with ACS 6 in the background)

2019-06-13 12:39:38 GMT <AFaust> We don't use ACA for nothing at this point - only keep it around for any potential demo needs...

2019-06-13 12:40:00 GMT <AFaust> Great... I sound like an American hillbilly with the double negation...

2019-06-13 12:40:31 GMT <alfresco-discord> <dgradecak> hehe, I had a tripple negation to my son this morning ...

2019-06-13 12:41:04 GMT <AFaust> Hah... great. Just realised the ACA entrypoint.sh can fail to process env parameters and ignore the error code - you'll just randomly see some redirects using the wrong URL...

2019-06-13 12:41:44 GMT <alfresco-discord> <dgradecak> aha you are using the docker image also?

2019-06-13 12:41:58 GMT <alfresco-discord> <dgradecak> I usually just run "npm start"

2019-06-13 12:46:04 GMT <AFaust> Well, npm still has a lifelong ban on my (bare machine) environments...

2019-06-13 12:51:55 GMT <alfresco-discord> <dgradecak> I heard, people are talking 😉

2019-06-13 12:58:14 GMT <AFaust> Ok - with regard to the ticket request, it looks like that is by design deep in the alfresco-js-api, which wants to exchange the OAUTH token with the a ticket.

2019-06-13 12:58:42 GMT <AFaust> I guess I'll just have to live with that stray HTTP 400 error and the garbage it puts in my console...

2019-06-13 12:59:30 GMT <AFaust> Looks like an issue with the ACS 6.0.7 GA Public v1 ReST API that can deal with the OAUTH token for all other requests apart from the ticket one...

2019-06-13 13:15:27 GMT <AFaust> dgradecak: Do you know if one can configure multiple trust store providers in Keycloak? All documentation I found so far only ever talks of one custom store.

2019-06-13 13:16:19 GMT <AFaust> Might have to copy cacert store otherwise, just to add my single Azure AD cert as trusted if I can't make default cacert also be used in addition to my current custom trust store.

2019-06-13 13:27:21 GMT <alfresco-discord> <dgradecak> hm ... unfortunately I do not know that

2019-06-13 13:31:17 GMT <AFaust> Tried by just providing a second provider - no change to my problem. Last week, Keycloak auth via Azure OpenID worked fine, now there is some SSL handshake issue, and I still have not figured out with which cert...

2019-06-13 13:33:10 GMT <alfresco-discord> <dgradecak> but you imported all the keys in jvm keystore?

2019-06-13 13:37:32 GMT <AFaust> My custom cert for my Azure AD LDAPS is in a custom keystore - and apparently that still works as periodic synch ran just a while ago.

2019-06-13 13:39:05 GMT <AFaust> I modified keyclaok standalone-ha.xml to reference my custom keystore for LDAPS. That worked last week, still with OpenID. 10 minutes ago I also added the default cacerts keystore as a second truststore provide in the standalone-ha.xml of Keycloak

2019-06-13 13:39:46 GMT <AFaust> That should contain all the relevant CAs used by Microsoft to issue their certs for their OpenID API

2019-06-13 13:40:22 GMT <AFaust> Currently trying to figure out how I can pass a JVM parameter to Keycloak (without doing any more customisations to the base image)

2019-06-13 13:40:30 GMT <alfresco-discord> <dgradecak> I did not check my azure stuff for a while and just wnt to create an app key and read this :

2019-06-13 13:40:55 GMT <alfresco-discord> <dgradecak> "We will no longer support registering and managing converged and Azure AD applications here starting May 2019" but seems all the configured stuff are there

2019-06-13 13:42:28 GMT <AFaust> Ah, you are looking at the "app registrations (legacy)" section

2019-06-13 13:42:56 GMT <AFaust> I already set up my stuff using the new section without "(legacy)" suffix

2019-06-13 13:43:31 GMT <alfresco-discord> <dgradecak> than that is not it;) yes I was looking at the legacy

2019-06-13 13:43:46 GMT <alfresco-discord> <dgradecak> maybe your key changed or so ... no idea like this

2019-06-13 13:44:23 GMT <AFaust> Well, the error is very specifically about the SSL handshake, so I am focussing on that.

2019-06-13 13:47:11 GMT <alfresco-discord> <dgradecak> not sure if some command line tools could be use to test that with Azure

2019-06-13 13:47:33 GMT <alfresco-discord> <dgradecak> but that is what I usally do on AD installations and ldaps

2019-06-13 13:52:02 GMT <alfresco-discord> <dgradecak> I hope the key did not expire btw 😉

2019-06-13 13:52:49 GMT <AFaust> Ok - rebuilt the Docker image and injected -Djavax.net.debug=all into JVM parameters. So technically, you can have multiple truststore providers, but there is no failover / fallback handling in Keycloak. The truststore you configure must have everything - default CAs + any custom certs.

2019-06-13 13:53:05 GMT <AFaust> And it was indeed a default Microsoft cert that failed to validate.

2019-06-13 13:53:23 GMT <AFaust> The error was just thrown up the callstack without fallback to second truststore.

2019-06-13 13:54:04 GMT <AFaust> Right, going to have to script a "copy cacert + merge with my certs" automation then.

2019-06-13 13:55:49 GMT <alfresco-discord> <dgradecak> if it is just for testing purposes, why not change keycloack's config to use only your keystore ?

2019-06-13 13:57:55 GMT <AFaust> That is what I intend. I just have to merge cacert into my keystore.

2019-06-13 13:58:47 GMT <alfresco-discord> <dgradecak> in the entry script just keytool -importkeystore with source and dest might do it

2019-06-13 13:58:56 GMT <AFaust> And since that is going to be the basis for all future work (and I may have to add additional custom certs, e.g. for customer's Azure), I'll try to automate it right away.

2019-06-13 13:58:58 GMT <alfresco-discord> <dgradecak> let me know so I will remember this one

2019-06-13 14:00:31 GMT <AFaust> Hmm... wondering. Since this is an isolated Docker container, it would actually not hurt too bad to merge my keystore (mounted as read-only) into cacerts, than the other way around (which would not work due to read-only-ness)

2019-06-13 14:07:05 GMT <alfresco-discord> <dgradecak> should be fine I guess

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco