Logging in to AEMaaCS instances through access tokens
maciej-majchrzak-wttech opened this issue · 2 comments
Use case:
I want to sync some part of production content of AEMaaCS instance into my Git repository so that developers in the team can work on it on local instances.
Tech details:
AEMaaCS does not allow you to log in using user/password. Instead, access tokens need to be used. Access token can be obtained from AEMaaCS through a dedicated procedure described below. The process is three-step:
- (this is a one-time manual operation) First, obtain a service credentials from AEMaaCS. It requires appropriate permissions in AEMaaCS, in order to fetch it. It's documented here: https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/authentication/service-credentials.html?lang=en#download-service-credentials. Please note that the credentials is a JSON file containing private keys, so it can be stored in codebase. However, it could be a mandatory prop of instance configuration (as part of ./gradlew props configuration)
- The actual authentication starts here and the next two steps should be performed whenever GAP authenticates to AEM. First, generate JWT token based on a the credentials fetched from AEMaaCS. . An example Java client which does it can be found here: https://github.com/AdobeDocs/adobe-dev-console/blob/main/samples/adobe-jwt-java/src/main/java/io/adobe/solutions/IMSClient.java
- Using JWT token, fetch access token and then use it as a Bearer token in HTTP requests:
Authorization: Bearer ACCESS_TOKEN. Common plugin must be updated to enable such an authentication method
This feature should be applicable to remote instances only.
Please get in touch if you're struggle with step 1 - I've done it already and can help.
There's also an option to implement a simpler flow which is based on a temporary access token available through Developer Console / Get Local Development Token. It would allow us to perform a single action as such a token is only valid for a short period. However, this may be suitable for things like ad hoc content sync and does not require storing the service credentials in a secure manner.
@maciej-majchrzak-wttech seems that @jean-khechfe-wttech have sth working.
will be a part of the upcoming 16.0.0 release within next month