by Kaushal Mall


March 26, 2018

On a recent project we were asked to implement an OAuth integration with AEM using Microsoft Azure AD as the server and use it on both the author and publish instances.

AEM OOTB provides Facebook and Twitter OAuth providers and Cloud Service configurations. More details for AEM 6.3 can be found here.

But, since we needed the OAuth to work on the author instance as well, the Cloud Service way won’t work. Our publish use case was to disable anonymous access and only allow access via OAuth, we stayed away from using Cloud Services for publish instances as well.

Below is a list of classes we implemented

  • Scribe classes
    • Azure AD OAuth API
      • AEM uses Scribe, this class extends the scribejava DefaultApi20 class.
      • After writing this class, I submitted a PR to the scribe java project and it’s now been merged . You can use this code as reference to create the same in your AEM code base.
    • Azure AD OAuth Service
      • Also included in the PR to the scribejava project
  • Thats all for the non AEM classes, below are all the AEM related classes.
    • Azure AD Provider
    • Azure AD Login Selector
      • This class is responsible for redirecting the user to the OAuth server login page, a URL with the format similar to http://localhost:4502/j_security_check?provider=xxxxxx&configid=my-granite-oauth-configid&state=/aem/start.html
      • The Service Ranking for this class needs to be higher than the OOTB LoginSelector
      • In the requestCredentials method, you will need get the client ID and the config ID from your Granite OAuth Provider configuration. You can use the ProviderConfigManager and the ProdviderConfig classes for this.
        • for example, providerConfigManager.getProviderConfig(my-granite-oauth-configid);
      • We had to ignore some URLs for being redirected as well, for example, if the request is for below URLs, you don’t want it redirected to the OAuth login screen
        • /libs/granite/core/content/login.html
        • /libs/granite/csrf/token.json
        • /callback/j_security_check
      • This class also replaces the need for having a Cloud Service configuration, but it only works if you want every AEM request to go through this auth provider. If you have a use case similar to allowing a “Social Login”, you will need to create your own Cloud Service configuration.
      • To create a custom Cloud Service configuration, follow the docs and reference the OOTB Facebook and Twitter Cloud Service configurations to create your own.
      • Don’t forget to include the state request parameter in your redirect URI to ensure the users are redirected to the appropriate page after successful login.

On the OAuth app side, the reply URL needs to be of the format https://host:port/callback/j_securitycheck.

As always, please let me know if there are any questions.