Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2019-06-14 07:01:42 GMT <alfresco-discord> <MariusGrunenberg> Sorry to ask again, but I am currently trying to retrieve the Favourites of a person and display custom columns based on the properties using the Content App. However it is not possible because the REST API call to get Favourites does not return properties or aspectNames. Even when using include or fields. Is there another way to get them with properties/aspectNames? I don't want to execute

2019-06-14 07:01:42 GMT <alfresco-discord> an additional Rest call for every favourite entry, just to get the properties

2019-06-14 07:16:45 GMT <alfresco-discord> <Francesco Corti> Hi @MariusGrunenberg, there are more than one story around this in the ADF board. Unfortunately without a REST endpoint available to do this, we are all without a solution. As usual: I'm not blaming anyone, because they are trying to run fast behind all the thousand of things to do.

2019-06-14 10:43:58 GMT <alfresco-discord> <drazen04> Hi guys. Someone knows how to persiste (if there are multiple assignees in a review task) comments (bpm:comment) at the end of vote??

2019-06-14 10:44:45 GMT <alfresco-discord> <dgradecak> just like a normal variable. Each task would have a single assignee right?

2019-06-14 10:45:24 GMT <alfresco-discord> <drazen04> No, multiple assignees for single task

2019-06-14 10:45:48 GMT <alfresco-discord> <dgradecak> is that a multi instance task?

2019-06-14 10:45:54 GMT <alfresco-discord> <drazen04> yes

2019-06-14 10:46:02 GMT <alfresco-discord> <dgradecak> so it is one assignee per task

2019-06-14 10:46:37 GMT <alfresco-discord> <drazen04> Yes, i didn't undestand

2019-06-14 10:49:38 GMT <alfresco-discord> <drazen04> For task i mean a step of workflow.

2019-06-14 11:35:47 GMT <alfresco-discord> <kanat> @drazen04 Hi, bpm:comment save for each task

2019-06-14 11:37:44 GMT <alfresco-discord> <drazen04> Hi👋

2019-06-14 11:38:53 GMT <alfresco-discord> <drazen04> I made it creating a global variable because bpm:comment is a local variable

2019-06-14 11:39:40 GMT <alfresco-discord> <kanat> 👌

2019-06-14 12:04:24 GMT <alfresco-discord> <yreg> Ouf, Salaboy is quiting Alfresco, I wonder how activiti (the opensource variant) will turn out !!

2019-06-14 12:06:20 GMT <angelborroy> I’m wondering the same thing...

2019-06-14 12:18:17 GMT <AFaust> Argh... why do my Azure OpenID tokens not contain upn, mail etc.... ?

2019-06-14 12:18:44 GMT <AFaust> dgradecak: merging of truststores solved the problem from yesterday - now on to the next issues...

2019-06-14 12:19:27 GMT <angelborroy> AFaust I don’t know if this helps, but take a look at https://github.com/folcina/alfresco-in-azure

2019-06-14 12:19:29 GMT <alfbot> Title:GitHub - folcina/alfresco-in-azure: Alfresco Enterprise 6.1 in Azure (deployment based in VMs) (at github.com)

2019-06-14 12:19:49 GMT <angelborroy> I didn’t checked it, just remembered it’s a deployment of ACS in Azure

2019-06-14 12:20:36 GMT <AFaust> Too bad they don't use keycloak in there...

2019-06-14 12:21:06 GMT <AFaust> and then have keycloak integrated with Azure AD.... essentially it's just an automated Azure VM deployment for ACs

2019-06-14 12:22:07 GMT <angelborroy> I told you, I even didn’t read it :D

2019-06-14 12:24:31 GMT <AFaust> yreg: Oh boy... I believe that means APS 2.x will not be out before the new Berlin airport opens...

2019-06-14 12:25:12 GMT <angelborroy> Eugenio Romano is leading now the project

2019-06-14 12:25:35 GMT <angelborroy> I’m confident, but I have no news about the release of APS 2.x

2019-06-14 12:27:17 GMT <angelborroy> -= THIS MESSAGE NOT LOGGED =-

2019-06-14 12:32:48 GMT <AFaust> No way.. you don't say...

2019-06-14 12:34:20 GMT <angelborroy> Did you notice? Weird… ;D

2019-06-14 12:35:08 GMT <angelborroy> But I’m very happy with my Yeoman Generator producing 21 different configurations for ACS + SS

2019-06-14 12:35:21 GMT <angelborroy> I was awarded as the “most innovative” project in the last month

2019-06-14 12:35:23 GMT <angelborroy> :)

2019-06-14 12:35:52 GMT <alfresco-discord> <dgradecak> good start than

2019-06-14 12:36:32 GMT *** jelly-home is now known as jelly

2019-06-14 12:37:16 GMT <angelborroy> I decided I will produce a version of this generator for ACS Community

2019-06-14 12:37:23 GMT <angelborroy> Focused on newbies

2019-06-14 12:37:30 GMT <angelborroy> Just trying to replace the old installer

2019-06-14 12:37:31 GMT <alfresco-discord> <dgradecak> AFaust: tokens etc ... for Okta I have to configure "custom" properties/fields that will be in the token, not sure for Azure really

2019-06-14 12:38:35 GMT <AFaust> I am already reading through Azure documentation on "optionalClaims" and editing the app manifest in Azure portal, but so far I have not been able to get any additional details in the token (at least from what Keycloak debug logging shows me)

2019-06-14 12:39:05 GMT <AFaust> I only ever get the full name, technical ID, and some URL reference to the default avatar of the user, nothing more...

2019-06-14 12:40:16 GMT <alfresco-discord> <dgradecak> maybe you should also map them in keycloack? It was not that easy to configure custom properties from keycloack to spring boot either

2019-06-14 12:40:22 GMT <AFaust> My problem is that the technical ID of course does not map to the upn that I synched via LDAPS, so the accounts are not automatically linked upon first login. And due to lack of email in token, I cannot pre-map that to ensure proper linking, having to rely on user to provide the email (if they don't, I'll have redundant accounts)

2019-06-14 12:40:24 GMT <alfresco-discord> <dgradecak> I mena spring security

2019-06-14 12:40:49 GMT <AFaust> I already have configured mappers in Keycloak - but they don't get any data from Azure, that's the problem.

2019-06-14 12:57:30 GMT <alfresco-discord> <dgradecak> unfortunately it seems you are the first one doing this (at least in our community) 😉

2019-06-14 12:58:00 GMT <alfresco-discord> <dgradecak> however, if you will tackle share + keycloack I am intersted to work on that with you

2019-06-14 13:00:23 GMT <alfresco-discord> <dgradecak> buit for your issue with azure, I hope it is not a problem where oyu need to regenerate the token or so ... as far as I remember with other providers hwne adding a custom claim than a "regenerate" was needed

2019-06-14 13:12:18 GMT <AFaust> Ok - so one thing I figured out: Keycloak does not request the "id_token", only the "code", which naturally contains a different (minimal) payload. Unfortunately, there is no config option to make Keycloak request something else...

2019-06-14 13:18:07 GMT <alfresco-discord> <dgradecak> can't you change the claims for that "minimal" payload?

2019-06-14 13:24:45 GMT <AFaust> Not that I have found. Even when I manually issue HTTP requests to get the id_token do I not get everything which I have configured in Azure as claims - I do finally have the UPN, but am missing mail and first/last names

2019-06-14 13:36:20 GMT <alfresco-discord> <dgradecak> refresh time in azure if you configured them later? but we have a saying :"if you wait long enough, the problem gets solved by its own"

2019-06-14 13:36:38 GMT <alfresco-discord> <dgradecak> usually politicians acts like that 😉 you could try

2019-06-14 13:37:17 GMT <alfresco-discord> <dgradecak> I am struggling with ADF and process services componenets right now on my side and I can tell you it is not a winning situation at all

2019-06-14 14:20:57 GMT <alfresco-discord> <IanW> I've also been struggling with ADF and community activiti - have parked it for the moment but we've got a lot of process work potentially coming up soon (I have the example activiti cloud stuff working with postman but the ADF components don't use the same endpoints! - need to check if there has been a new release since I last looked....) I guess it's not sensible to use the embedded engine for new stuff

2019-06-14 14:59:28 GMT <alfresco-discord> <dgradecak> well, I generated the process services from the genrator and it ises many endpoints /enterprise/* for now I am just adding server side responses to fulfill those endpoints, but I guess there will be many changes. Although I understand it is just a sample app, but there is so many issues that I find it strange. Cannot wait for the next ADF release 😉

2019-06-14 15:00:24 GMT <alfresco-discord> <dgradecak> I am also tryin the componenets in a separate Angular App and simply the documentation does not "reflect" how it really works, maybe those kind of things were not tested

2019-06-14 15:04:08 GMT <alfresco-discord> <dgradecak> I just learned on the gitter ACA channel, that the docs reflects the latest development branch and not the current release version

2019-06-14 15:09:09 GMT <alfresco-discord> <IanW> Also thought about trying the components in a separate app - didn't have that much time but wasn't as easy as I'd hoped (trying content rather than process this time) - will probably try again at some point but might be easier to do it the other way around

2019-06-14 15:10:50 GMT <alfresco-discord> <dgradecak> I was in the same position and decided to get hands on Angular rather on ADF

2019-06-14 15:13:45 GMT <AFaust> Ok - giving up on the Keycloak and Azure AD with both LDAPS + OIDC. Using Keycloak only for OIDC with simple user name now, which will be mapped in Alfresco will LDAPS the user + group details. Only downside: I can no longer use LDAP groups to filter access to various apps/clients in Keycloak itself...

2019-06-14 15:16:10 GMT <alfresco-discord> <dgradecak> does not sound good 😉

2019-06-14 15:16:24 GMT <AFaust> My impression: Keycloak (current version) has several gaps in OIDC config options (no way to specify response type) and several bugs in linking LDAP + OIDC credentials into one account (forces verification of email even despite me having disabled that globally, fails on implicit verification form reauth since user obiously has no local credentials)

2019-06-14 15:17:39 GMT <alfresco-discord> <dgradecak> wouldn't that kind of customization be easier without docker?

2019-06-14 15:17:39 GMT <AFaust> Azure AD also has shortcoming in that you cannot set up user accounts with a "mail" attribute, which obviously makes your mapping in LDAP clients like Keycloak weird, where you have to hack a upn=>email mapping

2019-06-14 15:18:24 GMT <alfresco-discord> <dgradecak> and you would need to develop a custom mapper for that?

2019-06-14 15:18:25 GMT <AFaust> dgradecak: Has nothing to do with Docker. Shortcomings are in the Java code - regardless of how I run it (Docker or bare host)

2019-06-14 15:19:02 GMT <alfresco-discord> <dgradecak> just questioning, as my self when I have to digg like that I do not like to use docker

2019-06-14 15:19:52 GMT <AFaust> That's where the public GitHub repository for Keycloak helps...

2019-06-14 15:21:15 GMT <AFaust> Either way - I was working with Keycloak under the assumption that it is a stable product that should have already been able to deal with stuff like "linking accounts" without issues for years.

2019-06-14 15:21:38 GMT <alfresco-discord> <dgradecak> I guess you need to use AIS for a stable product 😉

2019-06-14 15:21:39 GMT <alfresco-discord> <IanW> I ought to take a look at Keyclock delegating to CAS but can't quite face it yet - I think Share still isn't working with Keycloak/AIS?

2019-06-14 15:21:40 GMT <AFaust> Maybe I'll do another try with an earlier version..

2019-06-14 15:21:57 GMT <alfresco-discord> <dgradecak> which one did you use btw?

2019-06-14 15:22:28 GMT <AFaust> IanW: No, not out of the box. But that would be my one of the next tasks once I have this demo working for my customer - which I had hoped to finish today, but nope...

2019-06-14 15:22:46 GMT <AFaust> dgradecak: Latest and greates -> 6.0.1

2019-06-14 15:23:05 GMT <alfresco-discord> <dgradecak> aha ... that is quite advanced

2019-06-14 15:23:10 GMT <AFaust> I mean, they are just as insane as Google and Mozilla with their Browser versions...

2019-06-14 15:23:17 GMT <alfresco-discord> <dgradecak> does Azure support SAML?

2019-06-14 15:23:22 GMT <AFaust> 5.0 was released in March, 6.0 in April

2019-06-14 15:25:11 GMT <AFaust> Azure supports SAML 2.0 / OpenID Connect

2019-06-14 15:25:30 GMT <alfresco-discord> <dgradecak> with saml it is "quite easy" to expose custom attributes and get them maybe that would work for your case?

2019-06-14 15:26:20 GMT <AFaust> The core issue is: The Azure AD itself does not provide any field for email to be maintained. And using LDAPS I was denied to create / set that field at a low level, despite granting full access to my LDAP user

2019-06-14 15:26:29 GMT <alfresco-discord> <dgradecak> I did taht setap OKTA - SAML - Keycloack - spring boot

2019-06-14 15:26:41 GMT <AFaust> The email field apparently is only available if you use O365 as well.

2019-06-14 15:26:47 GMT <alfresco-discord> <dgradecak> aha

2019-06-14 15:27:05 GMT <AFaust> Typical Microsoft hard-coding use cases around their products.

2019-06-14 15:27:22 GMT <alfresco-discord> <dgradecak> but email ...

2019-06-14 15:27:32 GMT <alfresco-discord> <dgradecak> a bit stupid to "deny" that field

2019-06-14 15:27:58 GMT <alfresco-discord> <dgradecak> are you sure it is not mapped to something else that you did not expect?

2019-06-14 15:28:05 GMT <AFaust> Or maybe I just need to pay more in my Azure subscription (e.g. upgrade to Premium) to be able to use that field...

2019-06-14 15:28:39 GMT <AFaust> Well, I found an email field in Azure portal for some authentication stuff, and did set it to the value I wanted. Still, did not turn up in LDAP or OIDC token.

2019-06-14 15:30:35 GMT <AFaust> There is also an "alternative email address" in the "authentication methods" section of my Azure user, but that is also not exposed in LDAP / OIDC

2019-06-14 15:31:07 GMT <alfresco-discord> <dgradecak> than nothing to say but "bad luck" 😃

2019-06-14 15:31:10 GMT <AFaust> Believe me, in the last 6 hours I have gone through all the UI screens I could find in Azure portal...

2019-06-14 15:32:00 GMT <alfresco-discord> <IanW> At devcon we were given a clear message to only use the bundled keycloak not to try with a different version iirc AIS wouldn't work with a slightly earlier version

2019-06-14 15:32:45 GMT <alfresco-discord> <dgradecak> well right now Alfresco did not customize Keycloack, at least that is what I understood

2019-06-14 15:32:45 GMT <AFaust> AIS is currently nothing more than a slightly preconfigured out-of-the-box Keycloak instance.

2019-06-14 15:33:01 GMT <alfresco-discord> <dgradecak> just a quite old version

2019-06-14 15:33:09 GMT <AFaust> And all the issues I have now you would also have with AIS if you tried to integrate it with Azure AD

2019-06-14 15:33:26 GMT <AFaust> (unless the old version does not have the same issues)

2019-06-14 15:33:42 GMT <AFaust> ... that's why I was contemplating testing with an older version as well.

2019-06-14 15:33:46 GMT <alfresco-discord> <dgradecak> like with ADF, it is still with version 7.0.3 of angular (at least adf 3.2.1) but I guess it will work on ng 8

2019-06-14 15:34:00 GMT <alfresco-discord> <IanW> Haven't used Azure yet but gcloud and aws sometimes have options available via the cli which aren't in the portal

2019-06-14 15:34:22 GMT <alfresco-discord> <dgradecak> that is why I am personnaly afraid of sticking with Alfresco versions (at least for community), remember spring in alfresco

2019-06-14 15:34:38 GMT <AFaust> And all the Alfresco / Content App interaction with the default Keycloak work perfectly for me - it's just that the whole user interaction flow from frist access + account linking is broken on Keycloak.

2019-06-14 15:34:43 GMT <alfresco-discord> <IanW> My guess is dependencies might be a problem with ng 8

2019-06-14 16:51:21 GMT <alfresco-discord> <dgradecak> @Francesco Corti any idea why my "comments/questions" are ignored on gitter by the adf team? 😉

2019-06-14 18:45:44 GMT <alfresco-discord> <douglascrp> @dgradecak maybe because they don't care? 😄

2019-06-14 18:49:31 GMT <alfresco-discord> <douglascrp> I saw your question about the ACA 1.8 release

2019-06-14 18:49:42 GMT <alfresco-discord> <douglascrp> have they answered that?

2019-06-14 18:49:53 GMT <alfresco-discord> <douglascrp> I gave up about asking about it there

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco