[keycloak-user] OIDC biometrics authentication

Tue Sep 4 18:25:57 EDT 2018

Hi here!

I'm new in this space, my sincere apologies if my language is ambiguous or
not precise.

What I'm trying to achieve:
Identify users with biometrics. Specifically the identification part from
png image => userId will be done by internal system. keycloak here will use
the
back channel(rest call) to communicate with internal identification system.
the happy path
will produce token and 401 otherwise.

Here is how I anticipate keycloak to be called :

require 'httparty'
require 'jwt'
require 'securerandom'
require 'base64'

result =  HTTParty.post(
    "http://......../auth/realms/face-idf/protocol/openid-connect/token",
  :body => {
    :grant_type => :password,
    :client_id => "56a4acc2",
    :client_secret => "ea539549",
    :request => {
                "imageFormat"=>"png",
                "base64image"=> "R0lGODlbEh.....more...here...AAOw=="
        }.to_json.to_s
  },
  :headers => { 'Accept' => "application/json" },
)
pp JSON.parse(result.body)

I tried 2 options and one succeeded so far.

option 1: extend Authenticator call inside authenticate()

this option implies that users are available in keycloak. in my case
keycloak is just fronting my real identity management system. I've tried
to return InMemoryUserAdapter but there is code down stream which goes
to cache and persistence and if it cannot be found then it blows with
unexpected AuthenticationExecption.

Workaround:
UserModel userModel = KeycloakModelUtils
.findUserByNameOrEmail(context.getSession(), context.getRealm(), memberId);

        if(userModel == null){
            userModel = context.getSession()
            .userStorageManager().addUser(context.getRealm(), memberId);
            userModel.setUsername(memberId);
            userModel.setEnabled(true);
        }

    Status: Seems unnecessary but it works end to end.

option 2: extend PropertyFileUserStorageProvider call inside isValid()

this seems better fit for external identities. though could not
figure out from docs how do i get a custom UserCredentialModel
for biometrics. if i try to hijack grant_type=password and
username/password is missing then it fails before my isValid() gets
called.

Status: Could not get this to work

The documentation and code were very helpful to hit the ground running.
I understand my use case is not what keycloak does by default, but man,
I'm impressed what it can do.

I would not be surprised if I'm over thinking this :)

Have a couple questions:
0) is ruby above oauth/oidc compliant ? could not find anything on
oauth/oidc rfc or google
1) is grant_type => :password appropriate for external biometrics
identification
context ?
2) if I try federation how do I get access to biometrics from request ?

Any suggestion, hint, advice of how to enable keycloak to accept biometric
identification
requests is highly appreciated!

Thank you,
Ruslan