[keycloak-dev] Openshift Identity Provider for KeyCloak

Wed Feb 15 09:30:10 EST 2017

redirect_uri is part of the OAuth spec, so it should.  Without a 
redirect URI, the IDP is supposed to abort authentication as this URI is 
validated.  You don't want to deliver an access code to a rogue URL.

On 2/15/17 6:38 AM, Bartosz Majsak wrote:
> OpenShift should authenticate against Keycloak (or another IdP) at least
> for on-prem installations.
>
> This is intended primarily for OSO I believe.
>
> For OpenShift Online I see a use-case for this, but in that case can it not
> just use the OIDC provider?
>
> One issue I can already point out is that when using OIDC provider
> authorization URL created by an AbstractOAuth2IdentityProvider will result
> in bad request from OpenShift OAuth server, as it doesn’t accept
> redirect_uri as a valid request parameter. At least when tested against
> minishift.
> 
>
> On Wed, Feb 15, 2017 at 12:29 PM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Not sure to be honest. Strictly speaking it should be the other way
>> around. OpenShift should authenticate against Keycloak (or another IdP) at
>> least for on-prem installations. For OpenShift Online I see a use-case for
>> this, but in that case can it not just use the OIDC provider?
>>
>> On 15 February 2017 at 02:46, Bartosz Majsak <bartosz at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> I've implemented Openshift Identity Provider for KeyCloak [1]. Would you
>>> be
>>> interested in getting it upstream?
>>>
>>> Cheers,
>>> Bartosz.
>>>
>>> [1] https://github.com/bartoszmajsak/keycloak-openshift-identity-provider
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev