I wonder if the JWT authentication of Plone is supposed to work with third-party PAS plugin.
In our case, we have a plugin to authenticate against a third-party system which works under normal usage with Plone. However, I can use the JWT auth of plone.restapi only with native Plone accounts but not with accounts that are managed by our own PAS plugin.
As far as I can tell (testing in Postman, against a home-grown plugin talking to an authentication source that makes a request to an OAuth endpoint and gets a response back):
@login
endpoint works with a custom plugin providingIAuthenticationPlugin
- regardless of where
jwt_auth
is in order of authentication, it works with theBearer
token I received in the response from@login
, giving
(this was tested in an integration of Plone 6.1.0a5; I tried this with source_users
disabled, and GET
requests using Bearer
authorization where an authenticated user was required to get anything but a 403; cookies in Postman were disabled).
I'm guessing there may be corner-cases where this could get stuck, might be worth attempt to pdb breakpoint inside both extractCredentials
and authenticateCredentials
of plone.restapi.pas.plugin.JWTAuthenticationPlugin
.
Edit: to clarify, my authentication source does not use ephemeral users (there is a 1:1 stored user for each user in the external source), so there may be some assumption in PAS where YMMV versus the scenario I described.
Thanks.
I got it working with a few changes to login.py
. The logic implemented for finding the related plugin for authentication does not directly match our setup but a customized version does the job for us.