[keycloak-user] KeyCloak as an OIDC

Fri Sep 15 04:23:07 EDT 2017

Hi Stian

Clearly you know more about this than I. But from my limited knowledge, an
Identity Provider that supports the OIDC Protocol allows clients to
"receive information about authenticated sessions and end-users." This
would mean that the Identity Provider presumably needs to make user
information available in a specific format or schema.

Therefore, I am assuming there would be some specific data modeling
requirements in the custom Identity Provider.

The best example I could find of this is
https://github.com/mitreid-connect/ldap-openid-connect-server

On 15 September 2017 at 19:30, Stian Thorgersen <sthorger at redhat.com> wrote:

> I'm not following.. What you want is secure your applications with
> Keycloak using the OIDC protocol? If so just create a client for it in the
> realm and away you go..?
>
> On 14 September 2017 at 21:25, Y Levine <ylevine20 at gmail.com> wrote:
>
>> Yes --- looking for similar....
>>
>> KeyCloak is the OIDC Identity Provider --- Applications integrate against
>> KeyCloak via OIDC --- users would authenticate directly against login page
>> on KeyCloak - redirected back to SP.....ala Google login process to
>> Stackoverflow (however in this case KeyCloak is the IDP for our
>> organization's login/password).
>>
>> If there are steps that can describe how above can be configured will be
>> much appreciated.
>>
>>
>> On Thu, Sep 14, 2017 at 3:04 AM, Anton <kurrent93 at gmail.com> wrote:
>>
>> > I cant speak for OP, but it sounds like a question I asked a while ago:
>> >
>> > I'm looking to build an application ( identity provider) that will have
>> > user accounts. So, where as the typical example is a user links their
>> > Facebook, or LinkedIn account to a Keycloak account. Im interested in
>> > making an Identity Provider - comparable to Facebook, LinkedIn -
>> interns of
>> > supporting the OIDC protocol - so that user can link these accounts.
>> >
>> > Users then should then be able to link their account to a parent
>> account.
>> >
>> > I have been reading http://www.keycloak.org/docs/3.1/server_
>> > development/topics/identity-brokering/account-linking.html and see that
>> > this is possible.
>> >
>> > I have a few questions. On the docs it says:
>> >
>> > > The application must already be logged in as an existing user via the
>> > OIDC
>> > > protocol
>> > >
>> > How does an application login as a user?
>> > Does this mean the user must be logged into the Identity provider
>> > application?
>> >
>> > Am I correct in assuming the Identity Provider application needs to
>> > implement the OIDC Protocol? Is this something Keycloak can do? Are
>> there
>> > any examples of this?
>> >
>> > On 14 September 2017 at 21:29, Simon Payne <simonpayne58 at gmail.com>
>> wrote:
>> >
>> > > I think the OP is referring to identity brokering where keycloak is
>> used
>> > to
>> > > broker other identity providers which follow the OIDC protocol.  One
>> of
>> > > these brokered identity provider can be another keycloak server.
>> > >
>> > > On Thu, Sep 14, 2017 at 10:16 AM, Sebastien Blanc <sblanc at redhat.com>
>> > > wrote:
>> > >
>> > > > As Stian said , KC is already a OIDC Idp, nothing to do here. Once
>> your
>> > > > realm has been created, you can see the OIDC endpoints here :
>> > > >
>> > > > /auth/realms/your_realm/.well-known/openid-configuration
>> > > >
>> > > > Or was this not the question ?
>> > > >
>> > > > Sebi
>> > > >
>> > > > On Thu, Sep 14, 2017 at 12:15 AM, Anton <kurrent93 at gmail.com>
>> wrote:
>> > > >
>> > > > > I'm also interested in this.
>> > > > > If I understand OPs question correctly, he wants to know how to
>> be an
>> > > > > Identity Provider that supports OIDC Protocol.
>> > > > >
>> > > > > For example - in the section on User initiated linked accounts -
>> the
>> > > > > example is that the user links their Facebook account. How to
>> create
>> > an
>> > > > > equivalent, OIDC-ly speaking, of Facebook?
>> > > > >
>> > > > > On 13 September 2017 at 15:41, Stian Thorgersen <
>> sthorger at redhat.com
>> > >
>> > > > > wrote:
>> > > > >
>> > > > > > What are you actually trying to do? Keycloak is an OIDC IDP
>> > > > > >
>> > > > > > On 12 September 2017 at 17:59, Y Levine <ylevine20 at gmail.com>
>> > wrote:
>> > > > > >
>> > > > > > > I have read
>> > > > > > > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/
>> > > > > > > oidc-overview.html
>> > > > > > >
>> > > > > > > I may have misread as it appears to list connectors to
>> KeyCloak's
>> > > > OIDC
>> > > > > > > ....but how do we configure KeyCloak to be the OIDC IdP?
>> > > > > > > _______________________________________________
>> > > > > > > keycloak-user mailing list
>> > > > > > > keycloak-user at lists.jboss.org
>> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > > > > >
>> > > > > > _______________________________________________
>> > > > > > keycloak-user mailing list
>> > > > > > keycloak-user at lists.jboss.org
>> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > > > >
>> > > > > _______________________________________________
>> > > > > keycloak-user mailing list
>> > > > > keycloak-user at lists.jboss.org
>> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > > >
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user at lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>