[keycloak-user] Custom Social Login, cache access_token, Enterprise Wechat

Thu Aug 1 23:45:30 EDT 2019

Alright then. I think I will follow this thread myself to provide relevant
information for people who want to implement similar provider plugins in
the future.

So I have managed to implement a customized social login identity provider
alongside Twitter / Google and others. It's working just fine. You visit
one of the company apps, it will redirect you to keycloak. There you use
wechat work Idp to login into keycloak. Then keycloak would redirect you
back to the app. You have logged in. Perfect.

Now there is another question, instead of a link to click and show qr code
for login, is it possible to integrate that qrcode directly in the login
page of keycloak? I tried to use javascript to open a new page (I want both
username/password and qrcode available on the same page) and "click" the
"zocial-wechat-work" link and open that qrcode web page in a iFrame, but
instead of redirecting me back to the app I am visiting (which the original
link would do), it will put me in keycloak user panel after login.

I think my hack is going into a dead end, is it a better way to achieve
this? I.E. making "username/password" and a "3rd party qr code login"
available on the same login page.

kkzxak47 <kkzxak47 at gmail.com> 于2019年7月26日周五 下午10:17写道：

> I managed to get infinispan running in customized identity provider, but
> apart from predefined caches, I am not able to add new cache:
> the error reads:
> ```
> 21:59:01,683 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.war")]
> ) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.naming.context.java.module.auth.auth.ModuleName is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.naming.context.java.app.auth is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.naming.context.java.module.auth.auth.Validator is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>
> "jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.concurrent.ee.context.config.auth.auth is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.deployment.discovery.\"keycloak-server.war\" is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.naming.context.java.module.auth.auth.InAppClientContainer
> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.naming.context.java.app.auth.AppName is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.naming.context.java.module.auth.auth.InstanceName is
> missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.naming.context.java.module.auth.auth is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>         "jboss.naming.context.java.module.auth.auth.ValidatorFactory is
> missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>
> "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]"
>     ]
> }
> ```
>
> How can I set up a new cache in infinispan? What is the proper steps to
> create it?
>
> kkzxak47 <kkzxak47 at gmail.com> 于2019年7月25日周四 上午10:56写道：
>
>> Hi,
>>   I'm building a SSO service for my company (~1000 employee).
>>   After investigation I decided to adopt Keycloak as the core component.
>>   We are using Wechat Work as IM tool (https://work.weixin.qq.com/),
>> employee DB is based on its Contacts. So it's natural to integrate it as a
>> social login into Keycloak SSO service.
>>   In the process of implementing the 'WechatIdentityProvider' and
>> 'WechatIdentityProviderFactory' classes I encountered some trouble.
>>   Just like Twitter / Google and other providers, some of Wechat Work's
>> OAuth2 flow is not aligned with standards. For example, the processing of
>> retrieving the access_token is relatively independent of other OAuth2 code
>> flow, the access_token is valid for 7200 seconds, its API is limited to be
>> called 2000 times per day for a single client. We are forced to cache a
>> global access_token for each client. I noticed that Keycloak is heavily
>> using Infinispan. My question is can I use it for caching access_token too?
>> Is it safe to do so? What is your recommendation?
>>   And I'm working based on version 6.0.1 in standalone mode, is it
>> appropriate?
>>
>>   My main programming language is not Java by the way. I learned it ~10
>> years ago and Spring is new to me. So I'm still learning. It's of great
>> help to give relevant document links or code snippets, thanks!
>>
>>
>> Victor
>>
>