[keycloak-user] User-Federation

Stian Thorgersen sthorger at redhat.com
Fri Feb 12 02:57:13 EST 2016


On 11 February 2016 at 17:51, Scott Rossillo <srossillo at smartling.com>
wrote:

> Hi,
>
> The example omits securing the endpoints for simplicity demonstrating the
> concepts. I’d suggest using some type of security though on the legacy
> system if the endpoints are publicly accessible though.
>

There's this thing called Keycloak that may be useful for that ;)


>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo at smartling.com
>
> On Feb 11, 2016, at 9:35 AM, Reed Lewis <RLewis at carbonite.com> wrote:
>
> The endpoint that is used by the federation provider is only called from
> Keycloak, so you can run it on localhost on the keycloak machine if that is
> going to work for you.
>
> OTOH, if you need to run it on a different machine, you can lock down the
> endpoint to only be accessible from the Keycloak server.
>
> End users never call the endpoint I documented.
>
> Reed
>
> From: <darkness.renann at gmail.com> on behalf of Renann Prado <
> prado.renann at gmail.com>
> Date: Thursday, February 11, 2016 at 8:17 AM
> To: Reed Lewis <RLewis at carbonite.com>
> Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>,
> Stuart Jacobs <stuart.jacobs at symbiotics.co.za>
> Subject: Re: [keycloak-user] User-Federation
>
> Everyone*
> On Feb 11, 2016 11:16, "Renann Prado" <prado.renann at gmail.com> wrote:
>
>> Is there any recommended way to make sure these endpoints won't be
>> spammed by an attacker? Looks like these endpoints need to be open to
>> anyone.
>>
>> Thanks
>> On Feb 3, 2016 11:18, "Reed Lewis" <RLewis at carbonite.com> wrote:
>>
>>> If you use the federation provider listed here:
>>>
>>> [0]: http://tech.smartling.com/migrate-to-keycloak-with-zero-downtime/
>>> [1]: https://github.com/Smartling/keycloak-user-migration-provider
>>>
>>> You can specify a URL that will be called when a user needs to be
>>> validated.
>>>
>>> There are three requests that need to be implemented in your sever.
>>>
>>> GET <baseURL>/api/users/<username>/
>>> If the user exists, it should return a 200 with a json object with the
>>> return type “application/json” with the following fields:
>>> username
>>> email
>>> emailVerified
>>> firstName
>>> lastName
>>> roles [“user”]
>>>
>>> If the user does not exist, return a 404
>>>
>>> HEAD <baseURL>/api/users/<username>/
>>> Always return 200
>>>
>>> POST <baseURL>/api/users/<username>/
>>> The password is posted to you in a json object.
>>> Return 200 if the password is OK, 401 if not.  In both cases return no
>>> data.
>>>
>>> I wrote a small python module which implements these methods which works
>>> quite well.
>>>
>>> Reed
>>>
>>> From: <keycloak-user-bounces at lists.jboss.org> on behalf of Stuart
>>> Jacobs <stuart.jacobs at symbiotics.co.za>
>>> Date: Wednesday, February 3, 2016 at 2:40 AM
>>> To: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>> Subject: [keycloak-user] User-Federation
>>>
>>> Hi Everyone,
>>>
>>> I have an application that runs on a postgresql database, keycloak has
>>> been configured and has created all the required tables/columns in my
>>> schema using liquibase on start up of the keycloak server.
>>>
>>> I need to authenticate users using the projects existing user table
>>> obtaining the username and password from this table.
>>>
>>> I have had a look at the federation provider project under the example
>>> projects but this still eludes me as to how I change the keycloak mapping
>>> to use my own tables in postgress?
>>>
>>> Can someone please point me in the right direction or if someone has
>>> implemented such a solution please share how you have done it?
>>>
>>> Thanks everyone.
>>>
>>>   Regards,
>>>   Stuart Jacobs
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> www.symbiotics.co.za
>>>
>>> ********************************************************************************
>>> This email and any accompanying attachments may contain confidential and
>>> proprietary information. This information is private and protected by law
>>> and, accordingly, if you are not the intended recipient, you are requested
>>> to delete this entire communication immediately and are notified that any
>>> disclosure, copying or distribution of or taking any action based on this
>>> information is prohibited.
>>>
>>> Emails cannot be guaranteed to be secure or free of errors or viruses.
>>> The sender does not accept any liability or responsibility for any
>>> interception, corruption, destruction, loss, late arrival or incompleteness
>>> of or tampering or interference with any of the information contained in
>>> this email or for its incorrect delivery or non-delivery for whatsoever
>>> reason or for its effect on any electronic device of the recipient.
>>>
>>> ********************************************************************************
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/cd72cbf8/attachment-0001.html 


More information about the keycloak-user mailing list