<font face="arial" size="2"><!--WM_COMPOSE_SIGNATURE_START-->
<p style="margin:0;padding:0;">Thanks Stian. :) Let me first go thru the resources I have on the website. The java source code of the adapter also must be present somewhere for me to have a look I guess?</p>
<p style="margin:0;padding:0;"> </p>
<p style="margin:0;padding:0;">Kalinga</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><br />-----Original Message-----<br />From: "Stian Thorgersen" <stian@redhat.com><br />Sent: Tuesday, March 17, 2015 3:14pm<br />To: "Kalinga Dissanayake" <kalinga@leapset.com><br />Cc: keycloak-user@lists.jboss.org<br />Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br /><br /></p>
<div id="SafeStyles1426587612">
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">If you have any more questions feel free to ask, anyone contributing code gets extra questions answered ;)<br /><br /><br />----- Original Message -----<br />> From: "Stian Thorgersen" <stian@redhat.com><br />> To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> Cc: keycloak-user@lists.jboss.org<br />> Sent: Tuesday, March 17, 2015 10:41:51 AM<br />> Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br />> <br />> There is no hints regarding adapter logic, but what you'll need is:<br />> <br />> * Configure adapter using keycloak.json<br />> * Implement client side of OAuth2 Authorization Code Grant<br />> 1. Generate a state variable and store in a cookie or session<br />> 2. Redirect to<br />> /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate<br />> uuid>&redirect_uri=<callback uri><br />> 3. Once the user has logged-in it's redirected back to <callback uri> with<br />> a code query param<br />> 4. Use the code query param to obtain a token by posting to<br />> /{realm}/protocols/openid-connect/token the form-data should be<br />> grant_type=authorization_code&code=<code> you also need to include a http<br />> basic authorization header with client id and secret<br />> <br />> Once you've done that you should have a token available to the application.<br />> Then you have to deal with:<br />> <br />> * Refreshing token when expired<br />> * Handle logout events from Keycloak<br />> * Clustering issues<br />> * If you want to support creating rest endpoints in PHP you also need to<br />> support verifying the bearer token included in authorization header, this<br />> can be done by checking the jws signature using the realm public key<br />> <br />> ----- Original Message -----<br />> > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > Cc: "Stian Thorgersen" <stian@redhat.com>, "Bill Burke"<br />> > <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > Sent: Tuesday, March 17, 2015 10:26:18 AM<br />> > Subject: Re: [keycloak-user] Customization of authentication mechanism and<br />> > +<br />> > <br />> > <br />> > * I can get a php application in place<br />> > <br />> > Kalinga<br />> > <br />> > -----Original Message-----<br />> > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > Sent: Tuesday, March 17, 2015 2:55pm<br />> > To: "Stian Thorgersen" <stian@redhat.com><br />> > Cc: "Bill Burke" <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > Subject: Re: [keycloak-user] Customization of authentication mechanism and<br />> > +<br />> > <br />> > <br />> > <br />> > Thanks again.<br />> > I need to go thru most documentation to get the hang of it. Will do.<br />> > I would love to contribute if u can get a php application in place, is it<br />> > possible for you to direct me to documentation where there are hints<br />> > regarding the adapter logic?<br />> > <br />> > Kalinga<br />> > <br />> > <br />> > -----Original Message-----<br />> > From: "Stian Thorgersen" <stian@redhat.com><br />> > Sent: Tuesday, March 17, 2015 2:25pm<br />> > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > Cc: "Bill Burke" <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > Subject: Re: [keycloak-user] Customization of authentication mechanism and<br />> > +<br />> > <br />> > <br />> > <br />> > <br />> > ----- Original Message -----<br />> > > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > To: "Bill Burke" <bburke@redhat.com><br />> > > Cc: keycloak-user@lists.jboss.org<br />> > > Sent: Tuesday, March 17, 2015 8:52:12 AM<br />> > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > and<br />> > > +<br />> > > <br />> > > <br />> > > <br />> > > Thanks again for your quick feedbacks.<br />> > > <br />> > > Sorry I have a number of questions so I will be buzzing u guys regularly.<br />> > > <br />> > > I went through the document for the adapters;<br />> > > <br />> > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html<br />> > > <br />> > > <br />> > > <br />> > > So lets say I need a php application to be deployed using keycloak as my<br />> > > SSO<br />> > > manager application.<br />> > > <br />> > > So my basic requirement is that user should have the ability to signin<br />> > > via<br />> > > keycloak. I see that there are no dedicated adapters for php (I guess it<br />> > > must be in the works)<br />> > <br />> > We don't have a PHP adapter, and there's no immediate plans to create one.<br />> > You could use:<br />> > <br />> > * JavaScript adapter<br />> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)<br />> > * Proxy<br />> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)<br />> > <br />> > Alternatively have a look on Google for instructions on using OAuth2 and/or<br />> > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a<br />> > OpenID Connect Discovery endpoint, which should make it easier to use other<br />> > OpenID Connect client libraries with Keycloak.<br />> > <br />> > If you're willing to contribute a PHP adapter then let me know and I can<br />> > give<br />> > you more details on what would be required and some hints to get you<br />> > started.<br />> > <br />> > > <br />> > > <br />> > > <br />> > > Is there a guideline that I should follow if I am to do it manually?<br />> > > Basically what I should to do replicate what an adapter does (if I dont<br />> > > want<br />> > > to use any adapters or my apps are mobile based or deployed on containers<br />> > > hat keycloak does not have adapters for). Hope my question is clear.<br />> > > <br />> > > <br />> > > <br />> > > Kalinga<br />> > > <br />> > > <br />> > > <br />> > > <br />> > > -----Original Message-----<br />> > > From: "Bill Burke" <bburke@redhat.com><br />> > > Sent: Monday, March 16, 2015 7:46pm<br />> > > To: keycloak-user@lists.jboss.org<br />> > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > and<br />> > > +<br />> > > <br />> > > <br />> > > <br />> > > Minimally you need to import username. Probably email too if you want<br />> > > to use any of our email-based features. With UserFederationProvider you<br />> > > can delegate to the third-party storage for other user<br />> > > attributes/metadata.<br />> > > <br />> > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:<br />> > > > We don't currently have a way to plugin your own authentication<br />> > > > mechanism,<br />> > > > but this is something we'll be adding.<br />> > > > <br />> > > > You have two choices when it comes to users, you can either use our<br />> > > > user<br />> > > > federation provider mechanism to sync between Keycloak and your current<br />> > > > db. Or you can migrate the users fully to the Keycloak db. In either<br />> > > > case<br />> > > > you have an option on overriding how passwords are verified (either<br />> > > > UserFederationProvider or by extending an existing UserProvider). With<br />> > > > the<br />> > > > above authentication mechanism we'll most likely also make the<br />> > > > verification of passwords pluggable which would support different hash<br />> > > > algorithms.<br />> > > > <br />> > > > ----- Original Message -----<br />> > > >> From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > >> To: keycloak-user@lists.jboss.org<br />> > > >> Sent: Monday, March 16, 2015 10:48:55 AM<br />> > > >> Subject: [keycloak-user] Customization of authentication mechanism and<br />> > > >> +<br />> > > >> <br />> > > >> <br />> > > >> <br />> > > >> Guys,<br />> > > >> <br />> > > >> I need to understand the capability of keycloak with my requirement<br />> > > >> and<br />> > > >> to<br />> > > >> ensure that keycloak is scalable to meet my needs. My main requirement<br />> > > >> is<br />> > > >> to<br />> > > >> integrate keycloak to our system to support SSO hence I need to<br />> > > >> migrate<br />> > > >> my<br />> > > >> existing users. My main concerns;<br />> > > >> <br />> > > >> <br />> > > >> <br />> > > >> 1/ Customize authentication method.<br />> > > >> <br />> > > >> I need to authenticate users similar to what we currently use in our<br />> > > >> production system. In our system, users are identified by username,<br />> > > >> password<br />> > > >> and the pin.<br />> > > >> <br />> > > >> For instance;<br />> > > >> <br />> > > >> User -> jack, password -> pwd, pin -> 50000<br />> > > >> <br />> > > >> User should enter all three to login to the system.<br />> > > >> <br />> > > >> I went through the codebase and I saw that the Authentication Manager<br />> > > >> (which<br />> > > >> is a concrete class) does all the work inside keycloak. I managed to<br />> > > >> customize the frontend with ease, however, in order to support the pin<br />> > > >> in<br />> > > >> the backend seems like I have to customize the AuthenticationManager<br />> > > >> class<br />> > > >> (no direct SPIs).<br />> > > >> <br />> > > >> Although there is a link here;<br />> > > >> <br />> > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html<br />> > > >> <br />> > > >> I cant seem to find anything here which matches the current code base<br />> > > >> (to<br />> > > >> via<br />> > > >> a new authentication method via spis) and the example has been<br />> > > >> removed.<br />> > > >> <br />> > > >> <br />> > > >> <br />> > > >> 2/ Customize password hashes.<br />> > > >> <br />> > > >> We have our own algorithm used to store password hashes. What should I<br />> > > >> do<br />> > > >> to<br />> > > >> add this to keycloak?<br />> > > >> <br />> > > >> I do not know the current passwords of the users already in our<br />> > > >> system,<br />> > > >> so<br />> > > >> when doing the migration i need keyclock to support the current<br />> > > >> algorithm<br />> > > >> we<br />> > > >> use. Can we plugin new hashing algorithms to meet my needs?<br />> > > >> <br />> > > >> <br />> > > >> <br />> > > >> Any other issues I might face?<br />> > > >> <br />> > > >> I feel key cloak is the right choice if the above two questions are<br />> > > >> answered.<br />> > > >> Please let me know.<br />> > > >> <br />> > > >> _______________________________________________<br />> > > >> keycloak-user mailing list<br />> > > >> keycloak-user@lists.jboss.org<br />> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > _______________________________________________<br />> > > > keycloak-user mailing list<br />> > > > keycloak-user@lists.jboss.org<br />> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > <br />> > > <br />> > > --<br />> > > Bill Burke<br />> > > JBoss, a division of Red Hat<br />> > > http://bill.burkecentral.com<br />> > > _______________________________________________<br />> > > keycloak-user mailing list<br />> > > keycloak-user@lists.jboss.org<br />> > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > <br />> > > _______________________________________________<br />> > > keycloak-user mailing list<br />> > > keycloak-user@lists.jboss.org<br />> > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> _______________________________________________<br />> keycloak-user mailing list<br />> keycloak-user@lists.jboss.org<br />> https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> </p>
</div></font>