[keycloak-user] authentication provider and login override questions

[Johan Bos]

See inline,

Le 15/12/2015 17:35, Bill Burke a écrit :
>
> On 12/15/2015 8:36 AM, Johan Bos wrote:
>> Hi,
>>
>> I can see KeyCloak allows to define authentications based on SAML protocol.
>> My requirements are:
>> a set of application/client secured by a KeyCloak server
>> role/group defined in Keycloak
>> user/pass synchro from ActiveDirectory (optional - surely some mapping
>> to retrieve some information)
>>
>> We need keycloak and like it: for the user management and authentication
>> solution it provides to an application, in a simple way.
>>
>> 1) When an SSO is already in place.
>> As the apps we provide sometime, but not always is being integrated in a
>> customer env. that already using an SSO solution, I would like to know
>> if my understanding is right:
>> does the authentication module in keycloak where you can define an SAML
>> providers will delegate the SSO/login part to an external solution that
>> will handle for him the authentication?
>> Possible SSO is: "Ping", it says they are SAML compatible, does it means
>> I only need the SSO URL and logout URL to try it?
>>
> Are you sure you need Keycloak server?  Your best bet, IMO, is to just
> use the already deployed SSO solution if you can't swap it out for
> Keycloak.  Our SAML client adapter should work with that SSO solution.
Well yes, since we are not only focusing on that customer and we want to 
propose a solution that handle user/group/auth by itself.
So my understanding is right about the client adapter, it delegates.
I am testing Keycloak and other solution but that does not provide OOTB 
solution for user/group management, would be shiro, we used it before 
and it is well for integration into an existing ecosystem but when there 
is none, we want something to propose and keycloak remove a good part of 
the authentication issue.
>> 2)  Since keycloak provides for SSO the login pages.
>> How do you integrate it with an application (angular/J2ee) that already
>> have its own? Without removing it.
>>
> Keycloak login pages are themable.  You can change their look and feel.
>    You can't reuse an existing app's login pages.
>
I understood that, so I means that a good part of handling on our apps 
to manage keycloak is needed to have an autoconnect flow that avoid our 
internal login.
>> Do you keep on basic J2EE setup so any client url would be secure, then
>> once authorized, the apps will continue to bring up its own login page?
>> Does it mean the app should have a filter to implies some auto-connect
>> so client side does not try to bring the login and instead consider the
>> user connected?
>> or does it mean using keycloak.js and follow some angular example where
>> upon loading we first make everything from the JS side and make no
>> change on the Java Apps?
>>
> Use keycloak.js with your angular appp.  There are examples that come
> with the distribution that show how to do this.
I will. My question was more, is it the right approach or can this be 
done on the J2EE part with servlet filter only.
I suppose only me can answer this.
>> 3) I tried to override the login flow, to make my own authenticator. I
>> could see multiple way to do it. My requirement is to have a
>> supplementary field on the login page, because I need to authenticate
>> and validate my username/pass/repo to a REST API that must be access in
>> a secured way all the time, prior to give access to my clients/realm.
>>
>> In order to make this, I ended up providing my own template (ftl) but
>> then I could no longer use the login.username in it since the
>> createResponse (normal cases) is the only one to take the formDatas and
>> load in attributes the LoginBean with it. I was using my-page.ftl so
>> could not use the createLogin, instead I was using createForm
>> So even when I set the attribute with "login" key based on the
>> loginBean, login.username was triggering an error.
>>       forms.setAttribute("login", new LoginBean(formData));
>>
>> So Whatever, I simply used "username" directly and it worked, but I
>> don't know to which extend nor why. I have some missing on freemarker
>> api and how you compiling it with POJO beans in a Map.
>>
> I am not following you at all :)
That was more a code diving question that I had to make to understand 
the way it works. Even after that I still don't get why from your login 
template you can access login.username, and I can't with mine.
>
>> 3bis) For my suppl. field, I need a dropdown box and freemarker would
>> need a collection to loop over. I though I would have to pass a list of
>> POJO (to create a dropbox) to the "attributes" that is being used to
>> compile my template. In my template, I used "#list", but I could not get
>> it to recognize my bean nor loop on it. It always consider it as not
>> present.
>>
>> Here a sample of my authenticator that produce the new login form:
>>
> I could not reproduce your problem.  I did the following to the
> examples/providers/authenticator example:
>
> * Edit line 42 of SecretQuestionAuthenticator:
>
>           Response challenge = context.form().setAttribute("foo",
> "bar").createForm("secret-question.ftl");
>
>
> * Edit line 11 of secret-question.ftl
>
> <label for="totp" class="${properties.kcLabelClass!}">What is your mom's
> first name ${foo}</label>
>
> added ${foo} and it prints out fine.
>
Yes, that the basic string, it works for me too, when I pass from my 
example the default value for repository.
But my Object being not just a string, instead a List<Repository> repos 
where Repository has name attribute

context.form().setAttribute("repositories",
repos )
context.form().setAttribute("repository",
"default" )


I then tried in my template to do something like
#list repositories as repo
${repo.name}

The If test is not seeing the "repositories" corresponding value object.

Can we only use string? If so, how do you pass for the social 
registration the list of social providers?
>
>

Thanks for you prompt answer and the hard time you got to follow me.

-- 
Regards,

Johan Bos


-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/9127d0ba/attachment.vcf