Use this information to configure Content Services to authenticate using Identity Service. Content Services uses Spring Security components because the Keycloak Adapters have been deprecated. Key features and behaviors of the Keycloak Adapter, such as the communication with the Identity Service, are preserved. For more information, see the Keycloak documentation Deprecation of Keycloak adapters.
Starting with version 23.2, the ACS Repository has expanded its support to include any Identity Provider that is compliant with the OpenID Connect (OIDC) protocol.
Configure the alfresco-global.properties file using the below properties.
Identity Service authentication options:
Property | Description |
---|---|
identity-service.authentication.enabled |
Enable or disable authentication via the Identity Service. The default value is true. |
identity-service.authentication.validation.failure.silent |
Sets whether token validation failure is silent. The default value is true. |
identity-service.authentication.defaultAdministratorUserNames |
The default administrator user name. The default value is admin. |
identity-service.authentication.allowGuestLogin |
Sets whether guest logins are allowed. The default value is true. |
identity-service.authentication.enable-username-password-authentication |
Enable username and login password authentication. The default value is true. |
Specifying the Identity Service (Keycloak) or other OIDC Identity Provider details:
Property | Description |
---|---|
identity-service.realm |
Name of the realm configured in the Identity Service or Keycloak. This is a Kecloak-specific property. Note: This property must be empty for other OIDC
Identity Providers.
The default value is alfresco. |
identity-service.auth-server-url |
Identity Provider Base URL. The default value is http://localhost:8180/auth. |
identity-service.issuer-url |
Optional property Validates the issuer URL from the OIDC discovery document matches the user-provided issuer URL. If identity-service.auth-server-url is empty and only the issuer URL is provided, the issuer URL is used to retrieve the discovery document for additional configuration details. |
identity-service.audience |
Optional property Specifies the intended audience for an access token. |
identity-service.resource |
The Client ID for the client created within your realm that points to Content Services. The default value is alfresco. |
identity-service.credentials.secret |
The Client Secret for the client. The default value is an empty string. |
identity-service.principal-attribute |
Specifies an attribute from an access token and the UserInfo endpoint which is used to retrieve the username. For consistency, that claim should be available in an access token and in the UserInfo endpoint response. If this attribute is missing in the access token, then the repository attempts to retrieve the missing information from the UserInfo endpoint, resulting in an additional API call. The default value is preferred_username. |
identity-service.client-id.validation.disabled |
If set to true, the azp claim in the token is validated against the Client ID specified in the identity-service.resource property. This ensures that the token was indeed issued for the configured client. The default value is true. |
identity-service.admin-console.redirect-path |
Specifies the Admin Console path to which the authorization server redirects once authorization is completed. The default value is:
|
identity-service.signature-algorithms |
Specifies acceptable signature algorithms. The default value is RS256,PS256. |
OpenID Connect Identity Provider configuration example:
identity-service.auth-server-url=https://alfresco.auth0.com/ identity-service.audience=http://localhost:3000 identity-service.resource=${AUTH0_CLIENT_ID} identity-service.credentials.secret=${AUTH0_CLIENT_SECRET} identity-service.public-client=false identity-service.principal-attribute=nickname identity-service.client-id.validation.disabled=false identity-service.realm=
Specifying TLS/mTLS details:
Property | Description |
---|---|
identity-service.allow-any-hostname |
If TLS is used, this flag allows you to disable host name verification. This might be useful in a development environment. The default value is false. |
identity-service.disable-trust-manager |
If TLS is used, this flag allows you to disable the certificate verification. This might be useful in a development environment. The default value is false. |
identity-service.truststore |
If TLS is used, this flag allows you to specify the path to the truststore. |
identity-service.truststore-password |
Password for the truststore. |
identity-service.client-keystore |
Location for the keystore containing a client certificate in case of the mTLS setup. |
identity-service.client-keystore-password |
Password for the keystore. |
identity-service.client-key-password |
Password for the client key. |
Specifying underlying HTTP client details:
Property | Description |
---|---|
identity-service.connection-pool-size |
Allows you to specify how many HTTP connections will be used to communicate with the Identity Service. The default value is 20. |
identity-service.client-connection-timeout |
Timeout in milliseconds for connecting to the Identity Service. The default value is 2000. |
identity-service.client-socket-timeout |
Timeout in milliseconds for reading responses from the Identity Service. The default value is 2000. |
Specifying provided JWKS Public Key:
Property | Description |
---|---|
identity-service.realm-public-key |
Allows you to specify the Realm public key. The default value is empty which means the Repository will obtain the key directly from the Identity Service. |
Configuring TTL for the cached JWKS Public Key obtained from the certs endpoint:
Property | Description |
---|---|
identity-service.public-key-cache-ttl |
86400 The time in seconds between refreshing the public keys from the JWKS endpoint. |
Respecting Keycloak's or OIDC Identity Provider's public client setting:
Property | Description |
---|---|
identity-service.public-client |
The Repository won’t send credentials for the client to the Identity Service or IODC Identity Provider if this is set to true. The default value is true. |