[keycloak-user] Using the Keycloak Client Adapter for JBOSS as a Relying Party (RP) to a non-keycloak OpenID Provider (OP)

Fri Sep 14 01:06:05 EDT 2018

Is it possible to use the Keycloak Client Adapter for JBOSS as a Relying Party to a non-keycloak OpenID Provider? My CA Single Sign-On (Siteminder) OP uses the following endpoints:
  "authorization_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/authorize",
  "token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/token",
  "userinfo_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/userinfo",
  "validate_token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/introspect",
  "revoke_token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/revoke",
  "jwks_uri": https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=ZNBC-CASSO-Auth-Authorization-Provider-Dev

The Keycloak Client Adapter does not allow me to use those exact URL's .  It builds the URLs, based on the auth-server-url

and the realm specified within the <subsystem> element in my standalone.xml, using the following code in the package org.keycloak.constants :

public interface ServiceUrlConstants {

    public static final String AUTH_PATH = "/realms/{realm-name}/protocol/openid-connect/auth";

    public static final String TOKEN_PATH = "/realms/{realm-name}/protocol/openid-connect/token";

    public static final String TOKEN_SERVICE_LOGOUT_PATH = "/realms/{realm-name}/protocol/openid-connect/logout";

    public static final String ACCOUNT_SERVICE_PATH = "/realms/{realm-name}/account";

    public static final String REALM_INFO_PATH = "/realms/{realm-name}";

    public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/register-node";

    public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/unregister-node";

    public static final String JWKS_URL = "/realms/{realm-name}/protocol/openid-connect/certs";

}

I am thinking that I can edit the source code so that if https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc is entered as my auth-server-url in the standalone.xml, I could achieve the following needed endpoint urls:
"authorization_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/authorize"
  "token_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/token"
  "userinfo_endpoint": "https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/userinfo"
  "jwks_uri": https://smfed-dev.testqa.zionsbank.com/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=ZNBC-CASSO-Auth-Authorization-Provider-Dev

 using the following altered source code:

  public static final String AUTH_PATH = "/authorize";

  public static final String TOKEN_PATH = "/token";

  public static final String TOKEN_SERVICE_LOGOUT_PATH = "/realms/{realm-name}/protocol/openid-connect/logout";

  public static final String ACCOUNT_SERVICE_PATH = "/userinfo";

  public static final String REALM_INFO_PATH = "/realms/{realm-name}";

  public static final String CLIENTS_MANAGEMENT_REGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/register-node";

  public static final String CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH = "/realms/{realm-name}/clients-managements/unregister-node";

  public static final String JWKS_URL = "/jwks?AuthorizationProvider=ZNBC-CASSO-Auth-Authorization-Provider-Dev";

Is my logic flawed?  Or does anybody know of another OIDC Client Adapter that can be used for JBOSS that can be used as a Relying Party for a Non-Keycloak OpenID Provider?

Thank You for your Help.

Doyle Collings

Distributed Services Application Engineer and Single Sign-On Implementer/Administrator

Zions Bancorporation

======================================================================
THIS ELECTRONIC MESSAGE, INCLUDING ANY ACCOMPANYING DOCUMENTS, IS CONFIDENTIAL and may contain information that is privileged and exempt from disclosure under applicable law. If you are neither the intended recipient nor responsible for delivering the message to the intended recipient, please note that any dissemination, distribution, copying or the taking of any action in reliance upon the message is strictly prohibited. If you have received this communication in error, please notify the sender immediately.  Thank you.