Gentics Mesh comes with support for Keycloak built-in, but I'd like to use Okta instead.
What's best practice?
Would it require modifying Mesh source code?
Or maybe I should handle authentication in a middleware layer?
Or could I implement the AuthServicePlugin to validate a token from Okta?
https://github.com/gentics/mesh/blob/dev/plugin-api/src/main/java/com/gentics/mesh/plugin/auth/AuthServicePlugin.java
Update
I've tried using my Okta server in the mesh.yml config, but an exception is thrown.
This is the OIDC url for my Okta service -
https://{yourOktaDomain}/oauth2/v1/authorize
Unfortunately, the OAuth2 implementation seems to be Keycloak specific -
com.gentics.mesh.core.rest.error.GenericRestException: 500 Internal Server Error oauth_config_error
at com.gentics.mesh.core.rest.error.Errors.error(Errors.java:124)
...
Caused by: java.lang.RuntimeException: Error while loading realm info. Got code {404}
at com.gentics.mesh.auth.MeshOAuth2ServiceImpl.fetchPublicRealmInfo(MeshOAuth2ServiceImpl.java:451)
It looks like it's piecing together a url that won't work for Okta.
https://github.com/gentics/mesh/blob/f85dac8bf954248a6556323d792e6b849fb1d593/services/keycloak-auth/src/main/java/com/gentics/mesh/auth/MeshOAuth2ServiceImpl.java#L434
If I'm not mistaken, the implementation [MeshOAuth2ServiceImpl] can be changed to support any OIDC.
The authentication mechanism has been recently updated.
Gentics Mesh will now take the role as a resource server. It can accept any JWT as long as the public key from the OAuth server has been added.
The plugin API has been updated to provide support for custom mappings between oauth user and mesh. This allows you for example to map multiple oauth2 users to one mesh user which contains the needed roles/groups. You can also create a 1:1 mapping in which every oauth2 user will be added to Mesh.
The public keys of the OAuth server can be loaded via plugin API or hardcoded in a public-keys.json file.
You can read more on this topic here: https://getmesh.io/docs/authentication/#_oauth2_oidc