sling-samples icon indicating copy to clipboard operation
sling-samples copied to clipboard
verified publisher icon apache

feat(oauth): login with Google

Open rombert opened this issue 6 months ago • 11 comments

rombert avatar Sep 01 '25 15:09 rombert

@nscendoni - I tried to demonstrate how to login with OIDC using Google but I can't seem to get the user authenticated.

With the attached changes I can trigger a login flow when accessing http://localhost:8080/content/oauth-demo/playlists.html , I get to confirm the authentication with Google but when the redirect is sent to http://localhost:8080/oauth-demo/playlists/j_security_check?state=...&code=... ( which loooks good to me ) I get the sling form authentication page.

What am I doing wrong here?

(please ignore the spotify references, it looks like they are not a conformat OIDC provider)

rombert avatar Sep 01 '25 15:09 rombert

I see these issues with configuration:

  • org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler is a factory. It should be something like: org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler~google
  • you need to add a configuration for UserInfoProcessor like:
"org.apache.sling.auth.oauth_client.impl.SlingUserInfoProcessorImpl~google": {
  "connection": "google"
}

nscendoni avatar Sep 02 '25 08:09 nscendoni

Thanks @nscendoni . I made the adjustment but have the same issue. Here are the debug auth logs I could gather

When accessing the protected resource and getting redirected to google for login

02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler inside extractCredentials
02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set
02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials; assuming anonymous
02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: No credentials in the request, anonymous
02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting authentication using handler: org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler@ba806a5
02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler inside requestCredentials
02.09.2025 10:33:08.484 *DEBUG* [qtp918996980-94] org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler Missing mandatory request parameter 'c' using default connection

after getting redirected back from Google

02.09.2025 10:33:36.245 *DEBUG* [qtp918996980-336] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set
02.09.2025 10:33:36.245 *DEBUG* [qtp918996980-336] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials; assuming anonymous
02.09.2025 10:33:36.245 *DEBUG* [qtp918996980-336] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: No credentials in the request, anonymous
02.09.2025 10:33:36.245 *DEBUG* [qtp918996980-336] org.apache.sling.auth.core.impl.SlingAuthenticator getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials
02.09.2025 10:33:36.245 *DEBUG* [qtp918996980-336] org.apache.sling.auth.core.impl.SlingAuthenticator login: requesting authentication using handler: Form Based Authentication Handler
02.09.2025 10:33:36.261 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.HttpBasicAuthenticationHandler forceAuthentication: Not forcing authentication because request parameter sling:authRequestLogin is not set
02.09.2025 10:33:36.261 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.SlingAuthenticator getAuthenticationInfo: no handler could extract credentials; assuming anonymous
02.09.2025 10:33:36.261 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.SlingAuthenticator doHandleSecurity: No credentials in the request, anonymous
02.09.2025 10:33:36.265 *DEBUG* [qtp918996980-94] org.apache.sling.auth.core.impl.SlingAuthenticator setAttributes: ResourceResolver stored as request attribute: user=anonymous

Does anything look suspicious to you?

Also, I can't reliably get the redirect to Google when logging in, sometimes this gets redirected to the form login, maybe it's related.

rombert avatar Sep 02 '25 08:09 rombert

I've never seen the authentication requirement configured with: "sling.auth.requirements": "+/content/oauth-demo/playlists" in the authentication handler. I generally modify SlingAuthenticatior. I don't know if that setting should work or is broken.

nscendoni avatar Sep 02 '25 08:09 nscendoni

It's valid to add this requirement to any service. I would actually recommend not doing it on the Sling Authenticator because you don't have can overwrite this by trying to add multiple requirement. But the problem is that I was not adding the /content prefix ; for now I added both and I can trigger the login flow reliably

https://github.com/apache/sling-samples/pull/18/files#diff-28c4247ceb4441ff33c8f065a8c8280c34d075378987da5b1ddc3d9ba8e15d03R32

Still need to figure out some later errors but I'm unblocked for now, thanks for your help.

02.09.2025 10:57:09.977 *INFO* [qtp2070377709-89] org.apache.sling.auth.core.impl.SlingAuthenticator handleLoginFailure: Unable to authenticate 116780918108829134398: Login Failure: all modules ignored

rombert avatar Sep 02 '25 09:09 rombert

@nscendoni this is finally almost working, I see the user being created but I get this error I don't know what to make of

02.09.2025 11:55:28.987 *INFO* [qtp1227848401-344] org.apache.sling.auth.oauth_client.impl.OidcAuthenticationHandler User 1...... authenticated
02.09.2025 11:55:29.010 *WARN* [qtp1227848401-344] org.apache.sling.auth.core.impl.SlingAuthenticator handleSecurity: AuthenticationHandler did not block request; access denied

Any ideas on how to troubleshoot?

rombert avatar Sep 02 '25 09:09 rombert

@nscendoni - added some breakpoints, I think this is where it goes wrong

OidcAuthenticationHandler.authenticationSucceeded returns false and then https://github.com/apache/sling-org-apache-sling-auth-core/blob/8bb459f1677656529bf6940c643bd6c4f3f67664/src/main/java/org/apache/sling/auth/core/impl/SlingAuthenticator.java#L427-L433 is executed.

image

rombert avatar Sep 02 '25 11:09 rombert

@nscendoni - I configured some more attributes to be synced but still no luck with the login flow. I can see some more properties set on the user node but that does not impact the overall success.

image

rombert avatar Sep 02 '25 12:09 rombert

@nscendoni - as discussed, here is the issue you discovered - https://issues.apache.org/jira/browse/SLING-12926

rombert avatar Sep 03 '25 08:09 rombert

With a workaround this now works! I was confused becuase the user is considered logged in only for the paths handled by the OidcAuthenticationHandler. I added some debug information on the protected page and now I can see that the user is authenticated, just that when navigating to the parent page it's back to anonymous.

image

I can now look into more detail into the OIDC authentication handler to set up a proper sample, and it would be nice to have SLING-12926 for the next release.

rombert avatar Sep 03 '25 15:09 rombert

With the changes from https://github.com/apache/sling-org-apache-sling-auth-oauth-client/pull/30 this now works with custom idp names.

rombert avatar Sep 05 '25 13:09 rombert