[keycloak-dev] Openshift Identity Provider for KeyCloak

Stian Thorgersen sthorger at redhat.com
Mon Feb 20 08:38:12 EST 2017 

Once OpenShift v3 online is up and running will it allow users to register
clients so they can use it as a "social login provider"? If so sure let's
add it and have it by default point to OpenShift Online. We need
documentation added as well as testing though.

Testing:
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/HOW-TO-RUN.md

Docs:
https://keycloak.gitbooks.io/documentation/content/server_admin/topics/identity-broker/social-login.html

On 16 February 2017 at 19:57, Bartosz Majsak <bartosz at redhat.com> wrote:

> redirect_uri is part of the OAuth spec, so it should.
>
> That’s totally correct. My bad, I must have been in a rabbit hole chasing
> bunch of other issues in my code and somehow assumed that was the root
> cause. In fact it works with and w/o it, as redirect uri is configured when
> you register a client in Openshift [1].
>
> But still, I cannot simply use OIDC as it adds openid to the scope and this
> results in Openshift OAuth server complaining about the request - "Invalid
> value: "openid": no scope handler found"
>
> My implementation is based on AbstractOAuth2IdentityProvider and in fact it
> only differs when it comes to extracting profile information (other changes
> done in the project I shared in the opening mail are not feasible to make
> it upstream).
>
> To elaborate a bit on the use-case: our DevTools project will need to have
> an access to user’s OSO resources such as projects and thus we need such
> integration. We can live with SPI extension, but if you feel like it would
> be beneficial to the project I’m more than happy to contribute this piece
> (and improved based upon feedback from the PR).
>
> Cheers,
> Bartosz.
>
> [1]
> https://docs.openshift.org/latest/architecture/additional_concepts/
> authentication.html#oauth-clients
>>
> On Wed, Feb 15, 2017 at 3:30 PM, Bill Burke <bburke at redhat.com> wrote:
>
> > redirect_uri is part of the OAuth spec, so it should.  Without a
> > redirect URI, the IDP is supposed to abort authentication as this URI is
> > validated.  You don't want to deliver an access code to a rogue URL.
> >
> >
> > On 2/15/17 6:38 AM, Bartosz Majsak wrote:
> > > OpenShift should authenticate against Keycloak (or another IdP) at
> least
> > > for on-prem installations.
> > >
> > > This is intended primarily for OSO I believe.
> > >
> > > For OpenShift Online I see a use-case for this, but in that case can it
> > not
> > > just use the OIDC provider?
> > >
> > > One issue I can already point out is that when using OIDC provider
> > > authorization URL created by an AbstractOAuth2IdentityProvider will
> > result
> > > in bad request from OpenShift OAuth server, as it doesn’t accept
> > > redirect_uri as a valid request parameter. At least when tested against
> > > minishift.
> > > ​
> > >
> > > On Wed, Feb 15, 2017 at 12:29 PM, Stian Thorgersen <
> sthorger at redhat.com>
> > > wrote:
> > >
> > >> Not sure to be honest. Strictly speaking it should be the other way
> > >> around. OpenShift should authenticate against Keycloak (or another
> IdP)
> > at
> > >> least for on-prem installations. For OpenShift Online I see a use-case
> > for
> > >> this, but in that case can it not just use the OIDC provider?
> > >>
> > >> On 15 February 2017 at 02:46, Bartosz Majsak <bartosz at redhat.com>
> > wrote:
> > >>
> > >>> Hi,
> > >>>
> > >>> I've implemented Openshift Identity Provider for KeyCloak [1]. Would
> > you
> > >>> be
> > >>> interested in getting it upstream?
> > >>>
> > >>> Cheers,
> > >>> Bartosz.
> > >>>
> > >>> [1] https://github.com/bartoszmajsak/keycloak-
> > openshift-identity-provider
> > >>> _______________________________________________
> > >>> keycloak-dev mailing list
> > >>> keycloak-dev at lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>>
> > >>
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list