Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.

Using Keycloak for AEM 6.5 Authentication via an OIDC Client (not a SAML Client)

Avatar

Level 1

I have successfully integrated my AEM instances with Keycloak-based SAML clients many times in the past. I would prefer to implement an OIDC client in Keycloak that I can use to authenticate when accessing my author instances. 

 

My publish instances are always either behind web-server based authentication (lower levels) or intentionally made available to the general public (production). 

 

TLDR

My hope for the "finished product" would be a login page that either presents a "Login with Keycloak" button as well as the standard local UN/PW fields; or an automatic redirect to the Keycloak login page for the given OIDC client (which then redirects back to an AEM URL with the relevant OAuth info, thus allowing me to be authenticated as a user in AEM. 

 

Research Points

- I've tried to follow: https://experienceleague.adobe.com/docs/events/assets/oauth-server-functionality-in-aem-7-23-14.pdf?... for the purposes of integrating an OIDC client, but have yet to be successful. 

https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4... - seems to be more related to generated an OIDC client within AEM (as opposed to on Keycloak). 

https://www.willowtreeapps.com/craft/oauth-2-0-client-integration-in-aem-6-5 - what got me really close (in terms of config)

https://aemcorner.com/adobe-granite-oauth-authentication-handler/ another very helpful item, similar to the above, but doesn't quite result in a functional solution. 

 

Here is an example of my attempt to configure the relevant OAuth bundle:

Screenshot 2024-05-17 at 16.38.28.png

In my mind, the current issue is that I do not see a location to configure the actual URL to my keycloak instance. 

 

I've also tried to manually edit /apps/system/config/com.adobe.granite.auth.oauth.impl.OAuthAuthenticationHandler.config with the following content and restarted my instance:

# Configuration created by Apache Sling JCR Installer
path="/"
oauth.provider.id="keycloak"
oauth.client.id="aem-2"
oauth.client.secret="omitted"
oauth.scope="openid,email,groups"
 
 
0 Replies