[keycloak-dev] PicketLink and KC Integration

Pedro Igor Silva psilva at redhat.com
Tue Jul 22 22:27:33 EDT 2014 

Hi All,

   Currently, I'm working in a new identity store to handle tokens issued by a specific IdP. KeyCloak is one of them.

   So far, I'm trying to provide an easy way to integrate KC with PL. But it will also be useful for SAML-based apps.

   My first use case is simple. A REST application provides endpoints protected by roles. The client application authenticates using an IdP (eg.: KC) and invoke the REST endpoints by sending the token on every single request. The application then validates, extract user information from the token and creates a security context for a specific request.

   This identity store will operate in two modes:

       1) Stateless. Useful for applications acting only as a Service Provider. In this case, the app only wants to join a SSO session and use all information provided by a token to perform in-house authorization such as RBAC. Tokens are not persisted and are usually short-lived.

       2) Stateful. Useful for applications that want to use a specific token to invoke 3rd party APIs. In this case, the app wants to login using a social provider (eg.: facebook, github or even KC) and store the token and user information locally for later use. Once stored, the app can retrieve the token and use it to invoke an external API.

   What I did so far is related with #1 and the functionality is covering:

       - Usage of keycloak.js to redirect users to login page and renew tokens.
       - Send KC token in every single request to a specific PL filter that knows how to process tokens.
       - Validate the token and create a security context for an user. Considering KC, the validation involves the expiration time, signature, audience, issuer, etc.
       - Extract from the token identity information such as username, roles, realm, etc.
       - Support authorization checks based on the information extracted from a token.

   I still have some gaps to fill, but I would like to know what are your thoughts about how PL and KC can work together. AFAIK, KeyCloak is more about authentication. If the application wants authorization based on the information from a token (eg.: roles) it must do it by itself. Or you guys already have code for that ?

Thanks.
Pedro Igor

More information about the keycloak-dev mailing list