The Nuxeo Keycloak package allows you to integrate Keycloak, an Open Source Identity and Access Management solution.
See the Nuxeo Keycloak Package README.md for a complete list of required and optional configuration parameters directly contributable via
nuxeo.conf.
Nuxeo/Keycloak Automation and REST API Status Code Specifications
Here are the status codes to expect depending on the plugins' order in the Automation and RestAPI specific authentication chains.
| Chain order | Keycloak basic auth enabled | Provided credentials | Response status code |
|---|---|---|---|
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | false | none | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | false | KO (nuxeo basic) | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | false | OK (nuxeo basic) | 200 - OK |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | false | KO (Keycloak bearer) | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | false | OK (Keycloak bearer) | 200 - OK |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | true | none | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | true | KO (nuxeo basic) | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | true | OK (nuxeo basic) | 200 - OK |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | true | KO (Keycloak basic) | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | true | OK (Keycloak basic) | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | true | KO (Keycloak bearer) | 401 - Unauthorized |
| AUTOMATION_BASIC_AUTH KEYCLOAK_AUTH | true | OK (Keycloak bearer) | 200 - OK |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | false | none | 302 - Redirect |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | false | KO (nuxeo basic) | 302 - Redirect |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | false | OK (nuxeo basic) | 200 - OK |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | false | KO (Keycloak bearer) | 401 - Unauthorized |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | false | OK (Keycloak bearer) | 200 - ok |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | true | none | 302 - Redirect |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | true | KO (nuxeo basic) | 401 - Unauthorized |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | true | OK (nuxeo basic) | 200 - OK |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | true | KO (Keycloak basic) | 401 - Unauthorized |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | true | OK (Keycloak basic) | 200 - OK |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | true | KO (Keycloak bearer) | 401 - Unauthorized |
| KEYCLOAK_AUTH AUTOMATION_BASIC_AUTH | true | OK (Keycloak bearer) | 200 - OK |
Sample Contribution to Change the Authentication Plugins' Order, Overriding the Keycloak Package’s Contribution
Here is a sample contribution allowing to put Keycloak first in the Automation and RestAPI specific chains.
This would allow you to get the same response status codes as in the second half of the above table.
<component name="org.nuxeo.ecm.platform.login.keycloak.descriptor.override">
<require>org.nuxeo.ecm.platform.login.keycloak.descriptor</require>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="specificChains">
<specificAuthenticationChain name="RestAPI">
<urlPatterns>
<url>(.*)/api/v.*</url>
</urlPatterns>
<replacementChain>
<plugin>KEYCLOAK_AUTH</plugin>
<plugin>AUTOMATION_BASIC_AUTH</plugin>
</replacementChain>
</specificAuthenticationChain>
</extension>
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="specificChains">
<specificAuthenticationChain name="Automation">
<urlPatterns>
<url>(.*)/automation.*</url>
</urlPatterns>
<replacementChain>
<plugin>KEYCLOAK_AUTH</plugin>
<plugin>AUTOMATION_BASIC_AUTH</plugin>
</replacementChain>
</specificAuthenticationChain>
</extension>
</component>