Expand my Community achievements bar.

SOLVED

AEM CUG - Enable authentication but using external login API and token

Avatar

Level 1
Level 1
2/18/23 11:49:14 PM

Hi All,

I an novice in AEM and recently have gotten a use case to do gated AEM assets (images, pdf & etc) for external users that do not sits in AEM's user/group, I've studied the CUG authentication features from a few Internet sources, I notice the authentication is mainly performed against the OOTB AEM login module, and seldom elaborate on how it works if I were to provide a custom login page link. Hence, I have a few related queries here, hopefully any folks with similar experiences or experts can shed some light.

  1. From the gated asset folder, possible to put a custom login page link that calling an external login API?
    Then10_1-1676790407662.png
  2. If #1 is possible, assume the external login API authenticated successfully and return an login token, how can I make use of this login token and communicate with AEM that this user has login successfully? and hence can allow the user to view/read the gated asset.
  3. From my knowledge, the permission on CUG seems to work with AEM's user/group only, it might not work with non-AEM's user/group. Wild idea: what if I create a "read-only AEM user/group" so that whenever the external login API come back with a login token, I can treat it as a condition/validation to trigger the AEM login using the "read-only AEM user/group", programmatically thru client-side code (eg: invoke this API "/libs/granite/core/content/login.html"), or AEM already have similar login API exposed?

I appreciate any responses with comments/corrections, advises, better solutions or references on this matter. 

Sorry for the long read, I just wanted to ensure that my words fully express my ideas and thoughts.

Thanks for your time.

Views

1.1K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 5
Level 5
2/19/23 6:03:26 AM

You can create a custom logic page and have custom authentication handler written to validate the behavior, below are the steps to do so.

  1. Create a custom login page that will be used to authenticate the user. This page should have a form that the user will fill in with their credentials.
  2. When the user submits the login form, the form data should be sent to your external login API for authentication (You can achieve this using servlet call).
  3. Write a service class which calls from servlet If the user's credentials are valid, the API should return a login token to the custom login page(from servlet).
  4. The custom login page should then send the login token to AEM, along with a request to log the user in.
  5. you can create a custom authentication handler that will validate the login token and create a session for the user. You can use this session to control access to gated assets.

Custom Authentication Handler Example:

@component(service = Authenticator.class)
public class MyCustomAuthHandler implements AuthenticationHandler {

    @reference
    private ResourceResolverFactory resourceResolverFactory;

    @Override
    public AuthenticationInfo extractCredentials(SlingHttpServletRequest request, 
                                                  AuthenticateCallback callback) 
                                                  throws NoAuthenticationHandlerException {
        // Extract the login token from the request
        String loginToken = request.getParameter("loginToken");
        
        // Call your external login API to authenticate the user and retrieve their details
        
        
        // If authentication succeeds, create a session for the user
        ResourceResolver resourceResolver = null;
        try {
            resourceResolver = resourceResolverFactory.getServiceResourceResolver(null);
            UserManager userManager = resourceResolver.adaptTo(UserManager.class);
            
           
            // Create a session for the user and return the authentication info
            return new AuthenticationInfo("myCustomAuthType", "userId", 
                                           "UserPassword".toCharArray());
        } catch (Exception e) {
            // Handle any exceptions that may occur
            // ...
        } finally {
            if (resourceResolver != null && resourceResolver.isLive()) {
                resourceResolver.close();
            }
        }
        
        
        return null;
    }
    
    
}

Hope this is helpful.

View solution in original post

Views

1.1K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 5
Level 5
2/19/23 6:03:26 AM

You can create a custom logic page and have custom authentication handler written to validate the behavior, below are the steps to do so.

  1. Create a custom login page that will be used to authenticate the user. This page should have a form that the user will fill in with their credentials.
  2. When the user submits the login form, the form data should be sent to your external login API for authentication (You can achieve this using servlet call).
  3. Write a service class which calls from servlet If the user's credentials are valid, the API should return a login token to the custom login page(from servlet).
  4. The custom login page should then send the login token to AEM, along with a request to log the user in.
  5. you can create a custom authentication handler that will validate the login token and create a session for the user. You can use this session to control access to gated assets.

Custom Authentication Handler Example:

@component(service = Authenticator.class)
public class MyCustomAuthHandler implements AuthenticationHandler {

    @reference
    private ResourceResolverFactory resourceResolverFactory;

    @Override
    public AuthenticationInfo extractCredentials(SlingHttpServletRequest request, 
                                                  AuthenticateCallback callback) 
                                                  throws NoAuthenticationHandlerException {
        // Extract the login token from the request
        String loginToken = request.getParameter("loginToken");
        
        // Call your external login API to authenticate the user and retrieve their details
        
        
        // If authentication succeeds, create a session for the user
        ResourceResolver resourceResolver = null;
        try {
            resourceResolver = resourceResolverFactory.getServiceResourceResolver(null);
            UserManager userManager = resourceResolver.adaptTo(UserManager.class);
            
           
            // Create a session for the user and return the authentication info
            return new AuthenticationInfo("myCustomAuthType", "userId", 
                                           "UserPassword".toCharArray());
        } catch (Exception e) {
            // Handle any exceptions that may occur
            // ...
        } finally {
            if (resourceResolver != null && resourceResolver.isLive()) {
                resourceResolver.close();
            }
        }
        
        
        return null;
    }
    
    
}

Hope this is helpful.

Views

1.1K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Administrator
Administrator
2/22/23 12:27:50 AM
In response to VeenaK

@VeenaK great reply. Good to see great AEM SMEs in this community. Looking forward to your continuous contribution here.



Kautuk Sahni

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM headless architecture Solved

Views

142

Likes

0

Replies

4
can somebody please explain the use of the workflow model in /var?

Views

69

Likes

0

Replies

3
Understand the flow of AEM + SPA

Views

79

Likes

0

Replies

5
I'm encountering an error when adding my component to a page and trying to view it in publish mode

Views

67

Likes

0

Replies

2
Images compression in DAM | AEM as Cloud

Views

77

Likes

0

Replies

2