I'm integrating the alfresco rest API with an external application. using the latest version of Alfresco configured with Keyclok as an identity server with the open-source module provided by alfresco-keycloak.
Keycloak has been configured with 2 different realms each one with its user provider and roles and Alfresco has been configured with 2 Authentication subsystems and different Keycloak adapters:
-Dauthentication.chain=keycloak1:keycloak,keycloak2:keycloak
-Dsynchronization.import.cron=\"0 0 0/4 ? * * *\"
-Dsynchronization.allowDeletions=true"
This configuration works well when logging in through Alfresco Share, chaining across each subsystem until the user logs in successfully.
But the same configuration won't work with the Alfresco public API. When my external application calls an endpoint with a valid Bearer token Alfresco uses just the first of two adapters configured so if my token has been released by the last keycloak realm it always fails and a 401 error is returned.
I can't find any solution to this problem or any documentation about that. I can't understand if the authorization mechanism used to authorize for rest-API doesn't use the same security chain as Alfresco Share.
Does anybody else have the same problem and found a solution to fix it?
Thanks in advance.
Stefano
