[keycloak-user] Alternative authentication systems: SPI, token exchange. or IDP?

[Aaron Harnly]

Hi all,

I'd like your thoughts on the best way to integrate, in an adequately
decoupled way, "alternative" login systems with Keycloak.

Background: We are building or have built support for alternative
authentication mechanisms, including the LTI standard for education
technology single-sign-on, QR code-based login for young students,
simple "autologin" buttons for demo accounts, and other alternative
login methods for very young students.

We see three obvious options for implementing these:

1. Authentication SPI (ie build a custom authenticator flow and
package it into Keycloak)
2. Token exchange (ie the upstream system performs its authentication,
then does token exchange to obtain a token for the target user,
placing it into a Keycloak cookie)
3. IDP, ie the upstream system performs its authentication, then acts
as an IDP to Keycloak via SAML or Oauth

Currently we've done pathway #2, which is relatively decoupled,
requiring a single POST from the authenticator to Keycloak. But we
don't love that we have to (as we understand it) place the token into
a Keycloak cookie, which feels like we're diving into Keycloak
internals.

#1 (Authentication SPI) seems reasonable, but couples very tightly to
Keycloak, and requires that it be built in Java, which not all of our
teams prefer, and couples development and deployment with Keycloak.
I'd love to hear about experiences from people who have built
Authentication SPIs, though.

#3, building a wholly separate authenticator which uses SAML or Oauth
to establish Keycloak sessions, is very decoupled, but requires
incorporating Oauth or SAML libraries and keeping them all up to date,
which is sort of why we've invested in Keycloak to begin with :)

Any thoughts?
-Aaron