OAuth and OIDC support for Sling

Sling has traditionally been able to support a multitude of features, such as persistence, eventing, jobs, authentication, queries, indexing. Its modular design makes integration deployments possible.

A set of common use cases is to have Sling act as a client of an external system for accessing resources - documents, assets, social media posts - or establishing identity. These are typically achieved using OAuth and OIDC.

This presentation introduces a Sling extension that adds support for the OAuth and OIDC protocols. The extension can be configured to support various deployment topologies - standalone, shared repository, replicated repositories.

The attendees will become familiar with this new extension, be able to select a proper deployment model for their scenario and integrate it in future projects that require OAuth and OIDC support.

Regarding SSO by Oidc: In aem Configuration we can set ssohandler and accept certain Header Information like X-amzn-identity by keycloak. How can we make sure that users with bad intent not fake or change the Header Information send towards the aem Server to imitate anothrt user?

(see answer in talk video)

Reporter

Will it work of current version of Sling from AEM 6.5?

Robert Munteanu

It should, as it does not require anything exotic from the APIs. Feel free to try and let me know if it does not, would be happy to make sure it runs on AEM 6.5 Right now it requires Java 17, but it would definitely be possible to move it back to Java 11.

Does it support Proof of Key Exchange (PKCE, RFC 7636)?

Robert Munteanu

The toolkit supports it and it should not be hard to add. But it's not implemented at the moment.

This is definitely needed in AEM. We built it some years ago and I’m sure we were not the only ones. How would this work on AEM publish?

(see answer in talk video)