AEMAACS custom authentication handler without user creation | Community
Skip to main content
V
Vishal33
July 16, 2025
Solved

AEMAACS custom authentication handler without user creation

  • July 16, 2025
  • 1 reply
  • 376 views

Hi,
In AEMAACS, we are using Authentication Handler for OIDC Based authentication and authorization.
Limitation being we do not want to create users in AEM (post-authentication) but need to do authorization to allow access to pages based on user groups.
If anyone has implemented this, any inputs would be helpful.

Thanks & Regards,
Vishal Jain

Best answer by Uppari_Ramesh

@vishal33  Approach3: If you don't want to create test user, you can merge both approaches. Instead of setting login-token in response object, set JWT header. Once the custom auth handler code completes then request will come to sling filter with valid JWT header. Validate the JWT and user group access and then do filter the request. For this also you need to turn off authentication requirements in ConfigMgr.

 

I have implemented Approach1 earlier and it was working fine but problem with no of users.

 

Thanks,

Ramesh.

1 reply

Uppari_Ramesh
Uppari_Ramesh
July 17, 2025

Hi @vishal33 ,

 

Do not want to create users in AEM -- This means without creating user sessions programmatically, you want to access AEM pages. If your pages are secured and you want to authorize them based OIDC then, there are two ways for this.

  1. Approach1: Upon successful authorization with OIDC, once you get JWT , extract JWT and get email. Using email validate user for group access. If he/she is authorized to access content then again you need to generate a login-token cookie and assign it to response object. To generate login-token, create one user say test user with minimal required permissions. Now login into repository using APIs using test user. This test user will be used to issue login-token to all the people who are authorized to access content. If there are huge number of users then it will be problem with this approach as single user will get occupied with too many login tokens.
  2. Approach2: If there is any way front end can able to send you JWT, then you can create a sling request filter and validate the JWT token and then user access based on user groups and doFilter the request. If user is not allowed then redirect the user to login page again. To achieve this primary thing you need to do is, TURN OFF AUTH requirements for THE PAGES and associated paths.

Thanks,

Ramesh.

    Uppari_Ramesh
    Uppari_RameshAccepted solution
    July 17, 2025

    @vishal33  Approach3: If you don't want to create test user, you can merge both approaches. Instead of setting login-token in response object, set JWT header. Once the custom auth handler code completes then request will come to sling filter with valid JWT header. Validate the JWT and user group access and then do filter the request. For this also you need to turn off authentication requirements in ConfigMgr.

     

    I have implemented Approach1 earlier and it was working fine but problem with no of users.

     

    Thanks,

    Ramesh.

      V
      Vishal33Author
      July 17, 2025

      Hi @uppari_ramesh 
      Thank you for your quick reply, we will try above mentioned approaches, if any question we will ping you.

      Thanks & Regards,
      Vishal Jain

        Terms & ConditionsAccessibility statement

        Loading footer...