1

I am investigating Nuxeo for a potential large scale project, our choice of technology is ASP.Net Core Web API and UI end as React.

I need a suggestion on how to handle the authentication and authorization part.

Currently I am thinking that whenever a user create an account then I create an account in our external authentication service and then create a new user account in the Nuxeo side also.

When the user logs in then first it login via external service and then I login the same user to nuxeo as well.

So whenever user does any request then it uses its own logged in instance to do that.

The suggestion what I need is

  1. Is this approach good? Meaning creating a new account for each user in nuxeo side as well ? Or should just use a Super user Administrator and all the request goes via that ?
  2. If I use the approach where I just create a Client instance with user Administrator Ex. new Client(Administrator,Administrator), should I just cache this instance and use the same instance for all the requests ?

Suggestions or ideas please!

SomeGuyWhoCodes
  • 579
  • 6
  • 19

1 Answers1

0

The first approach is much better if you want to leverage the ACL management provided by nuxeo. With the second one, you will need to verify outside nuxeo if a given user has access to a certain content or not.

The second approach is the easiest one but I suggest using the first approach. The way to do this is to create a custom authentication plugin in Java within nuxeo.

This custom authentication plugin will be responsible for calling your external authentication solution, verify if the user is authenticated, and if it is the case, authenticate the user in nuxeo (or create it if the user doesn't exist).

Below you will find some examples of how to do this:

https://github.com/michaelgena/nuxeo-unify-sso

https://www.nuxeo.com/blog/guest-post-integrating-single-sign-sso-nuxeo-case-management/

The nuxeo authentication solution is pluggable, which means that you can add your custom authentication mechanism so that whenever a user tries to connect to nuxeo the authentication goes through your custom authentication plugin.

Michael GENA
  • 1
  • Hmm how could we benefit with the ACL management ? I was thinking of creating group and then I create a folder and set the permission for that folder as read and write for that group, so all the member in that group will automatically will have certain rights. What else I would need ? I am surely missing something. So please could you explain a bit more on this. – SomeGuyWhoCodes Jul 18 '17 at 06:02
  • Also when does the Authenticator plugin gets called ? When we use Authentication from the client API ? Example in my case for .Net when I do new Client("Username","Password") is it then it gets called ? – SomeGuyWhoCodes Jul 18 '17 at 08:56
  • Yes, for the permission to apply you only need to do what you mentioned. which will work only if you log in with the corresponding user (not if you use a super administrator all the time). Regarding the authentication plugin, it's called regardless the way you authenticate (through the UI or from the API side). – Michael GENA Jul 29 '17 at 12:19