[keycloak-user] Fwd: Login a Java Fat Client with Windows Kerberos Token agains Keycloak backed by AD?

Malte Finsterwalder inofi at gmx.net
Thu Jun 8 10:47:11 EDT 2017 

Hi Marek,

thanks for the quick response.

Do you have an ID for the Jira bug? I couldn't find it.

I must say I'm completely new to Keycloak and Kerberos etc.

I noticed, that the keycloak-authz-client uses an http-client under the
hood. Do I understand correctly, that the server still recognizes this type
of client as something different and uses the "Direct Grant" Authentication
flow and not the "Browser" flow?

So I would have to create a new Authenticator SPI implementation, that is
then deployed on the Keycloak server and integrated into the "Direct
Grant"-Flow to integrate Kerberos Authentication into this flow?

And do I also have to program something into the client?

Would it also be feasible to access Keycloak like a browser instead? Since
then Keycloak already supports Kerberos SSO, as far as I know.
Or why is the Fat Client using a completely different flow in the first
place?

Greetings,
   Malte

On 7 June 2017 at 22:04, Marek Posolda <mposolda at redhat.com> wrote:

> It's not yet supported OOTB. There is already JIRA opened for the long
> time. Feel free to add a vote :)
>
> However it should be already possible to implement it if you write custom
> authenticator and put it into the "Direct Grant Flow" authentication flow
> for the realm. Then your Java Fat Client will be able to send the token in
> the "Authorization: Negotiate token" header and your authenticator can then
> authenticate this request. Feel free to send PR if you manage to have it
> working.
>
> See our docs and examples for Authentication SPI for more details.
>
> Marek
>
>
> On 07/06/17 15:13, Malte Finsterwalder wrote:
>
>> Hi,
>>
>> I have the following setup:
>>
>> I'm programming a Java Fat Client application. I want to integrate it into
>> SSO with Keycloak.
>> Our Keycloak is connected to our Windows Active Directory (AD).
>>
>> So my idea is, that my Fat Client uses the Windows 7 Kerberos Token and
>> sends that to Keycloak. Keycloak should authorize the token agains the AD
>> and send back an authorization token to the Fat Client, so I can later use
>> this Keycloak token to access other Rest-Services.
>>
>> Fat Client (with Kerberos Token) -> Keycloak -> AD
>> Fat Client (with Keycloak Token) -> REST-Service
>>
>> I can't find anything in the documentation regarding this szenario.
>> Is this possible? And if so, how?
>>
>> Greetings,
>>     Malte
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

More information about the keycloak-user mailing list