Making OIDC work with Shiro

[paulmillar]

Hi,

I'm interested in running some software (Apache Jena Fuseki) where the user authenticates via Open ID Connect (OIDC). Fuseki uses Apache Shiro as the authentication and authorisation layer, so I think this would most naturally work through Shiro's support for OIDC.

From reading the documentation, I understand that, within Shiro's architecture, the mechanism through which a user authenticates is called a realm. Realms are an extendable through plugins, allowing Shiro to support many different authentication schemes, provided there is a Shiro-specific realm plugin that implements that authentication scheme.

Therefore, one way to add OIDC support to Fuseki, would involve identify an OIDC realm plugin.

The Shiro documentation doesn't seem to provide a definitive list of available/build-in realms. Some documentation mention realms in passing, but the best list seems to come from the JavaDoc.

From a cursory scan of the Shiro source code, I found various reasonable realms (LDAP, Jdbc, JNDI, Active directory, ...) but no OIDC support.

Also, the Shiro documentation doesn't seem to have any mention of OIDC. This is puzzling because OIDC is (perhaps) the primary mechanism for supporting federated authentication and is fairly widely adopted in different environments.

Through my investigation, I found the fuseki-oidc repo. This repo seems to provide the code needed to deploy Fuseki so it supports OIDC authentication. The repo appears to include code targeting Shiro, adding support for OIDC; however, I currently lack the knowledge to fully evaluate whether this approach is "correct". Also, the repo appears to be abandoned, with (at the current time) no updates for over five years.

I also found the article Apache Zeppelin OIDC Single-Sign-On using Pac4j and Keycloak. This discusses how to use Shiro's integration with Pac4j along with Pac4j's support for OIDC to add support for OIDC authentication to Zeppelin.

From my (limited) understanding, this approaches is technically correct, but it seems to introduce unnecessary complexity by adding an additional layer in front of Shiro: Pac4j.

Another approach might be to use an OAuth2/OIDC filter that intercepts HTTP requests. This would only pass on an HTTP request to Shiro once the user's identity has been established. Information about the user would be forward (e.g., via HTTP request headers, JNDI, ...). This, too, would seem to introduce unnecessary complexity.

This issue is regarding the apparent lack of documentation describing how to add OIDC support to an application that uses Shiro.

I'm hoping to learn whether the best approach would be to try to build an OIDC Shiro realm, or to use Pac4j, or to add a OIDC filter, or some other approach.

Cheers,
Paul.