Adobe Experience Manager Sites & More

Thanks Opkar. This is really helpful.

I went through the link shared for encapsulated token documentation. I am curious to know how it all works internally. Documentation mentions:

The Encapsulated Token is a piece of cryptography that allows to securely create and validate authentication information offline, without accessing the repository.

Now what is the offline location and how does it work? If it does authetication without accessing repository then what is the need of HMAC key setup and enabling it?

Hi Rajeev,

the answer probably in the lies doc here: "It also has the advantage of improving authentication performance since the repository does not need to be accessed for every authentication request."

So when they mention offline, I guess it means the request is not authenticated against the repository, authentication still goes through the standard authentication handler, if you configure encapsulated tokens in the "Day CRX Token Authentication Handler", but only the token is validated. So the repo is still used to access the encryption key, but the request is not authenticated using the standard repository authentication. Hope that makes sense....

Another link[1]

Regards,

Opkar

[1]http://www.slideshare.net/DamienAntipa/you-wanna-crypto-in-aem

Hi Rajeev,

just updated my answer after going through the docs more thoroughly.

Regards,

Opkar

So where is authentication handler present in this case(If it is not in repository). Is it referring to idp and sso?

rajeev.yadav wrote...

So where is authentication handler present in this case(If it is not in repository). Is it referring to idp and sso?

It's at the sling level[0], I agree the term offline is very misleading, as the repository has to be running. There is a good explanation of CQ's authentication here[1], it's a bit old, but the principles still apply(except now there is OAK login module) an example of creating it here[3] 

Regards,

Opkar 

[0]https://sling.apache.org/documentation/the-sling-engine/authentication.html

[1]http://suryakand-shinde.blogspot.co.uk/2011/04/sling-authentication.html

[2]http://www.wemblog.com/2013/03/how-to-create-custom-authentication.html

[3] https://helpx.adobe.com/experience-manager/using/oak-login.html

Hi Opkar,

I have implemented encapsulated token (same scenario mentioned above)but as there is no .token created within home/users,my user session is not getting expired even when i have changed the session timeout from Apache Jackrabbit Oak TokenConfiguration.

Could you please suggest how i can set the session expiration in AEM when using encapsulated token.As the config changes in Apache Jackrabbit Oak TokenConfiguration does not affect the ongoing sssion of any logged in user.

Opkar,

I haven't tried in AEM, but based on the documentation it is still not stateless authentication, you still need to put process in place to sync users between tarmk publisher farm. But will it not support HMAC authentication? where authentication can be done by any one publisher after that other publishers should able to verify the token. Here lets assume I am storing user profile information in external DB.