<font face="arial" size="2"><p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Stian,</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">As per your previous email I should use the endpoint <em><strong> /{realm}/protocols/openid-connect/token</strong></em></p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><em></em>However, I am using version 1.1.0.Final of keycloak. Seems like this is the production ready release available, however this does not have the above endpoint [<em><strong> /{realm}/protocols/openid-connect/token</strong></em>]</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Instead Version 1.1.0 Final has this end point which seems to be doing the same functionality;</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><em><strong>/realms/demo/protocol/openid-connect/access/codes</strong></em></p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><em></em>So I have a few questions regarding the above;</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">1/ Is the <span style="text-decoration: underline;">/access/codes</span> api endpoint same as <span style="text-decoration: underline;">/token</span> endpoint. Where the latter is planned to released in a future version? I compared the js adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses <span style="text-decoration: underline;">/access/codes</span> api endpoint while 1.2.0.Beta uses <span style="text-decoration: underline;">/token</span></p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">2/ Similarly <span style="text-decoration: underline;"> /{realm}/protocols/openid-connect/auth api </span>end point has been changed<span style="text-decoration: underline;">.</span> What is the mapping endpoint for this in 1.1.0 version? Are there are other apis signatures that are planned to be changed in the future?</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">3/ If I am using keycloak for an application which I am planning to roll out to production soon, which version would u recommend?</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">4/ The above apis are for openid-connect. What are the endpoints available if the authorization type is saml?</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><span style="text-decoration: underline;">Extract from previous email <<Stian>></span></p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">> > * Configure adapter using keycloak.json<br />> > * Implement client side of OAuth2 Authorization Code Grant<br />> > 1. Generate a state variable and store in a cookie or session<br />> > 2. Redirect to<br />> > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate<br />> > uuid>&redirect_uri=<callback uri><br />> > 3. Once the user has logged-in it's redirected back to <callback uri> with<br />> > a code query param<br />> > 4. Use the code query param to obtain a token by posting to<br />> > /{realm}/protocols/openid-connect/token the form-data should be<br />> > grant_type=authorization_code&code=<code> you also need to include a http<br />> > basic authorization header with client id and secret</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Thanks.</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Kalinga</p>
<!--WM_COMPOSE_SIGNATURE_START--><!--WM_COMPOSE_SIGNATURE_END-->
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><br /><br />-----Original Message-----<br />From: "Stian Thorgersen" <stian@redhat.com><br />Sent: Tuesday, March 17, 2015 3:55pm<br />To: "Kalinga Dissanayake" <kalinga@leapset.com><br />Cc: keycloak-user@lists.jboss.org<br />Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br /><br /></p>
<div id="SafeStyles1426838901">
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Source code for all adapters is in:<br /><br />https://github.com/keycloak/keycloak/tree/master/integration<br /><br />----- Original Message -----<br />> From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> To: "Stian Thorgersen" <stian@redhat.com><br />> Cc: keycloak-user@lists.jboss.org<br />> Sent: Tuesday, March 17, 2015 11:23:10 AM<br />> Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br />> <br />> <br />> Thanks Stian. :) Let me first go thru the resources I have on the website.<br />> The java source code of the adapter also must be present somewhere for me to<br />> have a look I guess?<br />> <br />> Kalinga<br />> <br />> -----Original Message-----<br />> From: "Stian Thorgersen" <stian@redhat.com><br />> Sent: Tuesday, March 17, 2015 3:14pm<br />> To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> Cc: keycloak-user@lists.jboss.org<br />> Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br />> <br />> <br />> <br />> If you have any more questions feel free to ask, anyone contributing code<br />> gets extra questions answered ;)<br />> <br />> <br />> ----- Original Message -----<br />> > From: "Stian Thorgersen" <stian@redhat.com><br />> > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > Cc: keycloak-user@lists.jboss.org<br />> > Sent: Tuesday, March 17, 2015 10:41:51 AM<br />> > Subject: Re: [keycloak-user] Customization of authentication mechanism and<br />> > +<br />> > <br />> > There is no hints regarding adapter logic, but what you'll need is:<br />> > <br />> > * Configure adapter using keycloak.json<br />> > * Implement client side of OAuth2 Authorization Code Grant<br />> > 1. Generate a state variable and store in a cookie or session<br />> > 2. Redirect to<br />> > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate<br />> > uuid>&redirect_uri=<callback uri><br />> > 3. Once the user has logged-in it's redirected back to <callback uri> with<br />> > a code query param<br />> > 4. Use the code query param to obtain a token by posting to<br />> > /{realm}/protocols/openid-connect/token the form-data should be<br />> > grant_type=authorization_code&code=<code> you also need to include a http<br />> > basic authorization header with client id and secret<br />> > <br />> > Once you've done that you should have a token available to the application.<br />> > Then you have to deal with:<br />> > <br />> > * Refreshing token when expired<br />> > * Handle logout events from Keycloak<br />> > * Clustering issues<br />> > * If you want to support creating rest endpoints in PHP you also need to<br />> > support verifying the bearer token included in authorization header, this<br />> > can be done by checking the jws signature using the realm public key<br />> > <br />> > ----- Original Message -----<br />> > > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > Cc: "Stian Thorgersen" <stian@redhat.com>, "Bill Burke"<br />> > > <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > > Sent: Tuesday, March 17, 2015 10:26:18 AM<br />> > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > and<br />> > > +<br />> > > <br />> > > <br />> > > * I can get a php application in place<br />> > > <br />> > > Kalinga<br />> > > <br />> > > -----Original Message-----<br />> > > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > Sent: Tuesday, March 17, 2015 2:55pm<br />> > > To: "Stian Thorgersen" <stian@redhat.com><br />> > > Cc: "Bill Burke" <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > and<br />> > > +<br />> > > <br />> > > <br />> > > <br />> > > Thanks again.<br />> > > I need to go thru most documentation to get the hang of it. Will do.<br />> > > I would love to contribute if u can get a php application in place, is it<br />> > > possible for you to direct me to documentation where there are hints<br />> > > regarding the adapter logic?<br />> > > <br />> > > Kalinga<br />> > > <br />> > > <br />> > > -----Original Message-----<br />> > > From: "Stian Thorgersen" <stian@redhat.com><br />> > > Sent: Tuesday, March 17, 2015 2:25pm<br />> > > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > Cc: "Bill Burke" <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > and<br />> > > +<br />> > > <br />> > > <br />> > > <br />> > > <br />> > > ----- Original Message -----<br />> > > > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > To: "Bill Burke" <bburke@redhat.com><br />> > > > Cc: keycloak-user@lists.jboss.org<br />> > > > Sent: Tuesday, March 17, 2015 8:52:12 AM<br />> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > > and<br />> > > > +<br />> > > > <br />> > > > <br />> > > > <br />> > > > Thanks again for your quick feedbacks.<br />> > > > <br />> > > > Sorry I have a number of questions so I will be buzzing u guys<br />> > > > regularly.<br />> > > > <br />> > > > I went through the document for the adapters;<br />> > > > <br />> > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html<br />> > > > <br />> > > > <br />> > > > <br />> > > > So lets say I need a php application to be deployed using keycloak as<br />> > > > my<br />> > > > SSO<br />> > > > manager application.<br />> > > > <br />> > > > So my basic requirement is that user should have the ability to signin<br />> > > > via<br />> > > > keycloak. I see that there are no dedicated adapters for php (I guess<br />> > > > it<br />> > > > must be in the works)<br />> > > <br />> > > We don't have a PHP adapter, and there's no immediate plans to create<br />> > > one.<br />> > > You could use:<br />> > > <br />> > > * JavaScript adapter<br />> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)<br />> > > * Proxy<br />> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)<br />> > > <br />> > > Alternatively have a look on Google for instructions on using OAuth2<br />> > > and/or<br />> > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a<br />> > > OpenID Connect Discovery endpoint, which should make it easier to use<br />> > > other<br />> > > OpenID Connect client libraries with Keycloak.<br />> > > <br />> > > If you're willing to contribute a PHP adapter then let me know and I can<br />> > > give<br />> > > you more details on what would be required and some hints to get you<br />> > > started.<br />> > > <br />> > > > <br />> > > > <br />> > > > <br />> > > > Is there a guideline that I should follow if I am to do it manually?<br />> > > > Basically what I should to do replicate what an adapter does (if I dont<br />> > > > want<br />> > > > to use any adapters or my apps are mobile based or deployed on<br />> > > > containers<br />> > > > hat keycloak does not have adapters for). Hope my question is clear.<br />> > > > <br />> > > > <br />> > > > <br />> > > > Kalinga<br />> > > > <br />> > > > <br />> > > > <br />> > > > <br />> > > > -----Original Message-----<br />> > > > From: "Bill Burke" <bburke@redhat.com><br />> > > > Sent: Monday, March 16, 2015 7:46pm<br />> > > > To: keycloak-user@lists.jboss.org<br />> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > > and<br />> > > > +<br />> > > > <br />> > > > <br />> > > > <br />> > > > Minimally you need to import username. Probably email too if you want<br />> > > > to use any of our email-based features. With UserFederationProvider you<br />> > > > can delegate to the third-party storage for other user<br />> > > > attributes/metadata.<br />> > > > <br />> > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:<br />> > > > > We don't currently have a way to plugin your own authentication<br />> > > > > mechanism,<br />> > > > > but this is something we'll be adding.<br />> > > > > <br />> > > > > You have two choices when it comes to users, you can either use our<br />> > > > > user<br />> > > > > federation provider mechanism to sync between Keycloak and your<br />> > > > > current<br />> > > > > db. Or you can migrate the users fully to the Keycloak db. In either<br />> > > > > case<br />> > > > > you have an option on overriding how passwords are verified (either<br />> > > > > UserFederationProvider or by extending an existing UserProvider).<br />> > > > > With<br />> > > > > the<br />> > > > > above authentication mechanism we'll most likely also make the<br />> > > > > verification of passwords pluggable which would support different<br />> > > > > hash<br />> > > > > algorithms.<br />> > > > > <br />> > > > > ----- Original Message -----<br />> > > > >> From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > >> To: keycloak-user@lists.jboss.org<br />> > > > >> Sent: Monday, March 16, 2015 10:48:55 AM<br />> > > > >> Subject: [keycloak-user] Customization of authentication mechanism<br />> > > > >> and<br />> > > > >> +<br />> > > > >> <br />> > > > >> <br />> > > > >> <br />> > > > >> Guys,<br />> > > > >> <br />> > > > >> I need to understand the capability of keycloak with my requirement<br />> > > > >> and<br />> > > > >> to<br />> > > > >> ensure that keycloak is scalable to meet my needs. My main<br />> > > > >> requirement<br />> > > > >> is<br />> > > > >> to<br />> > > > >> integrate keycloak to our system to support SSO hence I need to<br />> > > > >> migrate<br />> > > > >> my<br />> > > > >> existing users. My main concerns;<br />> > > > >> <br />> > > > >> <br />> > > > >> <br />> > > > >> 1/ Customize authentication method.<br />> > > > >> <br />> > > > >> I need to authenticate users similar to what we currently use in our<br />> > > > >> production system. In our system, users are identified by username,<br />> > > > >> password<br />> > > > >> and the pin.<br />> > > > >> <br />> > > > >> For instance;<br />> > > > >> <br />> > > > >> User -> jack, password -> pwd, pin -> 50000<br />> > > > >> <br />> > > > >> User should enter all three to login to the system.<br />> > > > >> <br />> > > > >> I went through the codebase and I saw that the Authentication<br />> > > > >> Manager<br />> > > > >> (which<br />> > > > >> is a concrete class) does all the work inside keycloak. I managed to<br />> > > > >> customize the frontend with ease, however, in order to support the<br />> > > > >> pin<br />> > > > >> in<br />> > > > >> the backend seems like I have to customize the AuthenticationManager<br />> > > > >> class<br />> > > > >> (no direct SPIs).<br />> > > > >> <br />> > > > >> Although there is a link here;<br />> > > > >> <br />> > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html<br />> > > > >> <br />> > > > >> I cant seem to find anything here which matches the current code<br />> > > > >> base<br />> > > > >> (to<br />> > > > >> via<br />> > > > >> a new authentication method via spis) and the example has been<br />> > > > >> removed.<br />> > > > >> <br />> > > > >> <br />> > > > >> <br />> > > > >> 2/ Customize password hashes.<br />> > > > >> <br />> > > > >> We have our own algorithm used to store password hashes. What should<br />> > > > >> I<br />> > > > >> do<br />> > > > >> to<br />> > > > >> add this to keycloak?<br />> > > > >> <br />> > > > >> I do not know the current passwords of the users already in our<br />> > > > >> system,<br />> > > > >> so<br />> > > > >> when doing the migration i need keyclock to support the current<br />> > > > >> algorithm<br />> > > > >> we<br />> > > > >> use. Can we plugin new hashing algorithms to meet my needs?<br />> > > > >> <br />> > > > >> <br />> > > > >> <br />> > > > >> Any other issues I might face?<br />> > > > >> <br />> > > > >> I feel key cloak is the right choice if the above two questions are<br />> > > > >> answered.<br />> > > > >> Please let me know.<br />> > > > >> <br />> > > > >> _______________________________________________<br />> > > > >> keycloak-user mailing list<br />> > > > >> keycloak-user@lists.jboss.org<br />> > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > > _______________________________________________<br />> > > > > keycloak-user mailing list<br />> > > > > keycloak-user@lists.jboss.org<br />> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > > <br />> > > > <br />> > > > --<br />> > > > Bill Burke<br />> > > > JBoss, a division of Red Hat<br />> > > > http://bill.burkecentral.com<br />> > > > _______________________________________________<br />> > > > keycloak-user mailing list<br />> > > > keycloak-user@lists.jboss.org<br />> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > <br />> > > > _______________________________________________<br />> > > > keycloak-user mailing list<br />> > > > keycloak-user@lists.jboss.org<br />> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > _______________________________________________<br />> > keycloak-user mailing list<br />> > keycloak-user@lists.jboss.org<br />> > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> ></p>
</div></font>