[keycloak-user] Wrap a Legacy Identification / Authentication Service

[Logan HAUSPIE]

Hello there,

I'm a french guy so forgive my poor english.
I'm very new to Keycloak. I know a bit of things about OAuth2 but not usual
to tweak it with Plugins/Provider/Mapper and so on.
So you maybe could help me.



My Legacy Service
-------------------------------------------------------------------
Input (application/x-www-form-urlencoded) :
    login
    password
    flag

Output JSON :
{
    "identity": {
        "civilite": "Mr",
        "email": "",
        "iad": "USER_IDENTIFIER",
        "mes": "",
        "nom": "HAUSPIE",
        "prenom": "Logan",
        "rcd": "ACC",
        "sid": "0MZvh5mJVfQ5sPsZS10JW6mcTQPGxJSJzy2J6" <1>
    }
}
<1> This is the JSessionID, so it's a session-specific data, not
user-specific data

or this one if something goes wrong :
{
    "identity": {
        "rcd": "ERR",
    }
}

My purpose is to implement OAuth2 (OIDC) based on my legacy service without
modifying it and without migrating all my users to Keycloak local storage.
I also want to add all these properties (especially sid) to the access
token at `LOGIN` time but it's maybe another topic, or not.



My Keycloak installation
-------------------------------------------------------------------
Version 3.4.3.Final with Docker
Java 8 developper



What I've already tried
-------------------------------------------------------------------
I found some information about that here :
 - https://github.com/keycloak/keycloak/tree/master/examples/providers
 - http://lists.jboss.org/pipermail/keycloak-user/2016-June/006470.html
(too old to be usefull because it deals with UserFederationProvider that
does not exist anymore in 3.4.3.Final version)
 - https://github.com/Smartling/keycloak-user-migration-provider (too old
to be useful, for same reason)

Authenticator doesn't seem to be what I need (according to this maybe too
old answer :
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006470.html)
because I don't want to add some additionnal authentication
information/form. Maybe I'm wrong.

So according to this documentation about "[migrating from an earlier
UserFederationProvider](
http://www.keycloak.org/docs/3.4/server_development/#migrating-from-an-earlier-user-federation-spi)"
and based on my previous research, I tried to write my own implementation
of UserLookupProvider mixin CredentialInputValidator (a.k.a.
UserStorageProvider) to call my legacy service.

The first problem is that when Keycloak is calling getUserByUsername it
doesn't provide the user password so I'm not able to get the user
information from my legacy service at this time.
The second problem is that getUserByUsername is called before isValid so I
can't "store" the user password during the call to isValid in order to use
it in getUserByUsername.



Secondary subject
-------------------------------------------------------------------
During these tries, I tested to inject a random JSessionID data into
UserModel.attribute map but this data is "stored" (I don't know how and
why).
So when I log in again (using the authorization code grant flow) the
getUserByEmail method of my Provider is not called again so the JSessionID
is not updated.
As far as I understand, adding information inside UserModel.attribute map
makes this information user-specific and not session-specific.

I need to request my Legacy Authentication Service on each login to update
the JSessionID coming from the legacy service.



My Questions
-------------------------------------------------------------------
Am I on the wrong way about calling my legacy service?
Did I miss something in the identification/authentication sequence of
Keycloak?
Is there an other way to do what I need to do ?

How to inject session-specific data as claim inside JWT ?



Thank's in advance for your valuable support.
Best regards,
*Logan HAUSPIE*