Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now
SOLVED

AEMAACS custom authentication handler without user creation

Avatar

Level 3
Level 3
7/16/25 10:15:10 AM

Hi,
In AEMAACS, we are using Authentication Handler for OIDC Based authentication and authorization.
Limitation being we do not want to create users in AEM (post-authentication) but need to do authorization to allow access to pages based on user groups.
If anyone has implemented this, any inputs would be helpful.

Thanks & Regards,
Vishal Jain

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager Experience Manager as a Cloud Service

Views

213

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 6
Level 6
7/17/25 8:27:36 AM
In response to Uppari_Ramesh

@Vishal_Jain03  Approach3: If you don't want to create test user, you can merge both approaches. Instead of setting login-token in response object, set JWT header. Once the custom auth handler code completes then request will come to sling filter with valid JWT header. Validate the JWT and user group access and then do filter the request. For this also you need to turn off authentication requirements in ConfigMgr.

 

I have implemented Approach1 earlier and it was working fine but problem with no of users.

 

Thanks,

Ramesh.

View solution in original post

Views

170

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Level 6
Level 6
7/17/25 8:17:01 AM

Hi @Vishal_Jain03 ,

 

Do not want to create users in AEM -- This means without creating user sessions programmatically, you want to access AEM pages. If your pages are secured and you want to authorize them based OIDC then, there are two ways for this.

  1. Approach1: Upon successful authorization with OIDC, once you get JWT , extract JWT and get email. Using email validate user for group access. If he/she is authorized to access content then again you need to generate a login-token cookie and assign it to response object. To generate login-token, create one user say test user with minimal required permissions. Now login into repository using APIs using test user. This test user will be used to issue login-token to all the people who are authorized to access content. If there are huge number of users then it will be problem with this approach as single user will get occupied with too many login tokens.
  2. Approach2: If there is any way front end can able to send you JWT, then you can create a sling request filter and validate the JWT token and then user access based on user groups and doFilter the request. If user is not allowed then redirect the user to login page again. To achieve this primary thing you need to do is, TURN OFF AUTH requirements for THE PAGES and associated paths.

Thanks,

Ramesh.

Views

175

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 6
Level 6
7/17/25 8:27:36 AM
In response to Uppari_Ramesh

@Vishal_Jain03  Approach3: If you don't want to create test user, you can merge both approaches. Instead of setting login-token in response object, set JWT header. Once the custom auth handler code completes then request will come to sling filter with valid JWT header. Validate the JWT and user group access and then do filter the request. For this also you need to turn off authentication requirements in ConfigMgr.

 

I have implemented Approach1 earlier and it was working fine but problem with no of users.

 

Thanks,

Ramesh.

Views

171

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 3
Level 3
7/17/25 9:02:23 AM
In response to Uppari_Ramesh

Hi @Uppari_Ramesh 
Thank you for your quick reply, we will try above mentioned approaches, if any question we will ping you.

Thanks & Regards,
Vishal Jain

Views

160

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEMaaCS: what folders are immutable and mutable during deployment? Solved

Views

656

Likes

0

Replies

1
AEM MSM Custom Roll out Configuration Solved

Views

385

Likes

0

Replies

1
AEMaaCS: Update environment identification icon

Views

37

Likes

0

Replies

2
Custom Workflow to publish Content Fragments

Views

44

Likes

0

Replies

0
AdobeDataLayer Custom attribute issue with Dispatcher Facing URL

Views

105

Likes

0

Replies

1