Alfresco discussion and collaboration. Stick around a few hours after asking a question.
Official support for Enterprise subscribers: support.alfresco.com.
Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.
More information about the channel is in the wiki.
More help is available in this list of resources.
2020-02-24 10:43:57 GMT <alfresco-discord> <dgradecak> @MartinM what password exactly?
2020-02-24 11:52:47 GMT <alfresco-discord> <yreg> the one used to sign the token I assume ?
2020-02-24 11:53:59 GMT <alfresco-discord> <yreg> for those cases you need to use some asymetric encryption, where the Keycloak uses the private cert and the client simply uses the public cert to verify ...
2020-02-24 12:19:27 GMT <alfresco-discord> <MartinM> Actually like ACS has stored in the DB 🙂
2020-02-24 12:46:39 GMT <alfresco-discord> <dgradecak> I am not following, but if ACS is using KC no user's password should be stored on ACS side. I thought you were talking about the oauth2 password sent by the JS client code
2020-02-24 14:19:24 GMT <alfresco-discord> <Thijs> Got a nice response from Alfresco support:
2020-02-24 14:19:28 GMT <alfresco-discord> <Thijs> Hello Thijs, I will close the case. I have tried to have the problem fixed. Best regards,
2020-02-24 14:20:43 GMT <alfresco-discord> <Thijs> At least he tried
2020-02-24 14:33:07 GMT <alfresco-discord> <dgradecak> I hope you are not telling us the whole story 😉 or the problem must have been complicated
2020-02-24 14:55:51 GMT <alfresco-discord> <MartinM> @dgradecak sure ACS is storing an encrypted password and not the plain ones. I would like to know if I could configure keycloak to only need this encrypted one. But it looks more like I would need an ACS extension
2020-02-24 15:27:21 GMT <alfresco-discord> <yreg> Now I am really not following, why would KC need to be aware of that password or its hash ?
2020-02-24 16:08:35 GMT <alfresco-discord> <MartinM> When you use the KC endpoint you can / have to provide your username and password or? Can be wrong
2020-02-24 17:10:34 GMT <alfresco-discord> <dgradecak> are you talking about username/password of the authenticated user in alfresco?
2020-02-24 17:29:26 GMT <alfresco-discord> <MartinM> yeah but using oauth
2020-02-24 17:29:32 GMT <alfresco-discord> <MartinM> with the identity service
2020-02-24 17:29:42 GMT <alfresco-discord> <MartinM> starting in 6.1 I believe
2020-02-24 17:35:14 GMT <alfresco-discord> <dgradecak> well when using identity service than no password is stored in ACS for the users, I believe your are confusing things a bit
2020-02-24 20:37:23 GMT <alfresco-discord> <MartinM> Yes you are right because you use the credentials from the identity provider which could be like openLDAP . Ok could it be possible to use the encrypted PW stored in the openLDAP DB ? I am just asking as our German politiks have a stupid new idea called "Pflicht zur Passwortherausgabe" where platforms have to hand out encrypted passwords. I'm curious if that could be implemented somehow with ACS and
2020-02-24 20:37:24 GMT <alfresco-discord> KC
2020-02-24 21:26:08 GMT <AFaust> MartinM: As far as I am aware, that "Pflicht zur Passwortherausgabe" (mandatory disclosure of passwords) is only at a draft stage right now, and has been agreed on the cabinet level. And it targets social media platform, game apps, (public) information services, webmail etc. But nowhere have I read / heard that it would affect a company internal system like ACS.
2020-02-24 21:28:32 GMT <AFaust> In any case, that responsibility would be on the part of the IdP if you integrate ACS via Keycloak e.g. with Azure / AWS Directory, or whatever. If you integrate it with your own OpenLDAP, then of course you'd be responsible for the passwords stored therein (provided you fall into the targeted category of businesses)
2020-02-24 21:30:17 GMT <AFaust> Though I personally quite expect that piece of crappy law making to die somewhere between the federal diet and council. I don't see any state government involving Greens / the Left agrree with such a law.
2020-02-24 21:32:17 GMT <AFaust> And even if, I'd hold any implementation until the constitutional court has ruled.
The other logs are at http://esplins.org/hash_alfresco