<font face="arial" size="2"><p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Stian,</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Thanks for clarifying. A couple of more questions and my sincere apologies for troubling u guys amidst all the work.</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">I could not get the saml endpoints token endpoints but the openid connect protocol works fine now.</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><em><strong>Extract from previous email</strong></em></p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">--------------------------------</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">> > > * Refreshing token when expired<br />> > > * Handle logout events from Keycloak<br />> > > * Clustering issues<br />> > > * If you want to support creating rest endpoints in PHP you also need to<br />> > > support verifying the bearer token included in authorization header, this<br />> > > can be done by checking the jws signature using the realm public key</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">* Handle logout events from Keycloak</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Are there any specific events I should listen to for this purpose? I saw that the js adapter somehow handles this via the iframe but is there any way for me to support me in the php backend or any other app?</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Basically let me explain the scenario.</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> I have a php app and a tomcat applicaton that call keycloak for auth. I logout from the tomcat application and I need the php app user to force logout... What are the events i should listen to? Is there any document which contains these details?</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">* Clustering issues</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Are there are clustering issues with the adapters I should be aware of? or Is it simply the clustering on the server end you are referring to?</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Thanks. Appreciate ur feedback...please let me know any concerns/factors I should be aware regarding the above two points.</p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;">Kalinga</p>
<!--WM_COMPOSE_SIGNATURE_START--><!--WM_COMPOSE_SIGNATURE_END-->
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"> </p>
<p style="margin:0;padding:0;font-family: arial; font-size: 10pt; word-wrap: break-word;"><br />-----Original Message-----<br />From: "Stian Thorgersen" <stian@redhat.com><br />Sent: Friday, March 20, 2015 2:12pm<br />To: "Kalinga Dissanayake" <kalinga@leapset.com><br />Cc: keycloak-user@lists.jboss.org<br />Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br /><br /></p>
<div id="SafeStyles1427094355"><br /><br />----- Original Message -----<br />> From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> To: "Stian Thorgersen" <stian@redhat.com><br />> Cc: keycloak-user@lists.jboss.org<br />> Sent: Friday, 20 March, 2015 9:21:29 AM<br />> Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br />> <br />> <br />> Stian,<br />> As per your previous email I should use the endpoint<br />> /{realm}/protocols/openid-connect/token<br />> However, I am using version 1.1.0.Final of keycloak. Seems like this is the<br />> production ready release available, however this does not have the above<br />> endpoint [ /{realm}/protocols/openid-connect/token]<br />> Instead Version 1.1.0 Final has this end point which seems to be doing the<br />> same functionality;<br />> /realms/demo/protocol/openid-connect/access/codes<br /><br />Yes, sorry for the confusion.<br /><br />> <br />> So I have a few questions regarding the above;<br />> 1/ Is the /access/codes api endpoint same as /token endpoint. Where the<br />> latter is planned to released in a future version? I compared the js<br />> adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api<br />> endpoint while 1.2.0.Beta uses /token<br /><br />It's equivalent and hasn't been removed yet, just deprecated so will still work in 1.2.0.Beta1, but will be removed in a future release.<br /><br />In 1.1.0.Final we had multiple token endpoint (/access/codes, /refresh, /grants/access) these don't require grant_type param. These are now deprecated and we've introduce the single endpoint (/token) that requires grant_type. This is so comply with the OpenID Connect spec.<br /><br />> 2/ Similarly /{realm}/protocols/openid-connect/auth api end point has been<br />> changed. What is the mapping endpoint for this in 1.1.0 version? Are there<br />> are other apis signatures that are planned to be changed in the future?<br /><br />Nothing planned<br /><br />> 3/ If I am using keycloak for an application which I am planning to roll out<br />> to production soon, which version would u recommend?<br /><br />1.2.0.Beta1 is out in a week or two, so I recommend using that. We'll only back-port fixes to 1.1.x if we find critical security issues.<br /><br />> 4/ The above apis are for openid-connect. What are the endpoints available if<br />> the authorization type is saml?<br /><br />I don't have this off hand, but have a look at the SAML examples and you should find that out easily. Currently we only provide adapters for OpenID Connect.<br /><br />> <br />> Extract from previous email <<Stian>><br />> > > * Configure adapter using keycloak.json<br />> > > * Implement client side of OAuth2 Authorization Code Grant<br />> > > 1. Generate a state variable and store in a cookie or session<br />> > > 2. Redirect to<br />> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate<br />> > > uuid>&redirect_uri=<callback uri><br />> > > 3. Once the user has logged-in it's redirected back to <callback uri><br />> > > with<br />> > > a code query param<br />> > > 4. Use the code query param to obtain a token by posting to<br />> > > /{realm}/protocols/openid-connect/token the form-data should be<br />> > > grant_type=authorization_code&code=<code> you also need to include a http<br />> > > basic authorization header with client id and secret<br />> <br />> Thanks.<br />> <br />> Kalinga<br />> <br />> <br />> -----Original Message-----<br />> From: "Stian Thorgersen" <stian@redhat.com><br />> Sent: Tuesday, March 17, 2015 3:55pm<br />> To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> Cc: keycloak-user@lists.jboss.org<br />> Subject: Re: [keycloak-user] Customization of authentication mechanism and +<br />> <br />> <br />> <br />> Source code for all adapters is in:<br />> <br />> https://github.com/keycloak/keycloak/tree/master/integration<br />> <br />> ----- Original Message -----<br />> > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > To: "Stian Thorgersen" <stian@redhat.com><br />> > Cc: keycloak-user@lists.jboss.org<br />> > Sent: Tuesday, March 17, 2015 11:23:10 AM<br />> > Subject: Re: [keycloak-user] Customization of authentication mechanism and<br />> > +<br />> > <br />> > <br />> > Thanks Stian. :) Let me first go thru the resources I have on the website.<br />> > The java source code of the adapter also must be present somewhere for me<br />> > to<br />> > have a look I guess?<br />> > <br />> > Kalinga<br />> > <br />> > -----Original Message-----<br />> > From: "Stian Thorgersen" <stian@redhat.com><br />> > Sent: Tuesday, March 17, 2015 3:14pm<br />> > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > Cc: keycloak-user@lists.jboss.org<br />> > Subject: Re: [keycloak-user] Customization of authentication mechanism and<br />> > +<br />> > <br />> > <br />> > <br />> > If you have any more questions feel free to ask, anyone contributing code<br />> > gets extra questions answered ;)<br />> > <br />> > <br />> > ----- Original Message -----<br />> > > From: "Stian Thorgersen" <stian@redhat.com><br />> > > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > Cc: keycloak-user@lists.jboss.org<br />> > > Sent: Tuesday, March 17, 2015 10:41:51 AM<br />> > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > and<br />> > > +<br />> > > <br />> > > There is no hints regarding adapter logic, but what you'll need is:<br />> > > <br />> > > * Configure adapter using keycloak.json<br />> > > * Implement client side of OAuth2 Authorization Code Grant<br />> > > 1. Generate a state variable and store in a cookie or session<br />> > > 2. Redirect to<br />> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate<br />> > > uuid>&redirect_uri=<callback uri><br />> > > 3. Once the user has logged-in it's redirected back to <callback uri><br />> > > with<br />> > > a code query param<br />> > > 4. Use the code query param to obtain a token by posting to<br />> > > /{realm}/protocols/openid-connect/token the form-data should be<br />> > > grant_type=authorization_code&code=<code> you also need to include a http<br />> > > basic authorization header with client id and secret<br />> > > <br />> > > Once you've done that you should have a token available to the<br />> > > application.<br />> > > Then you have to deal with:<br />> > > <br />> > > * Refreshing token when expired<br />> > > * Handle logout events from Keycloak<br />> > > * Clustering issues<br />> > > * If you want to support creating rest endpoints in PHP you also need to<br />> > > support verifying the bearer token included in authorization header, this<br />> > > can be done by checking the jws signature using the realm public key<br />> > > <br />> > > ----- Original Message -----<br />> > > > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > Cc: "Stian Thorgersen" <stian@redhat.com>, "Bill Burke"<br />> > > > <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > > > Sent: Tuesday, March 17, 2015 10:26:18 AM<br />> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > > and<br />> > > > +<br />> > > > <br />> > > > <br />> > > > * I can get a php application in place<br />> > > > <br />> > > > Kalinga<br />> > > > <br />> > > > -----Original Message-----<br />> > > > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > Sent: Tuesday, March 17, 2015 2:55pm<br />> > > > To: "Stian Thorgersen" <stian@redhat.com><br />> > > > Cc: "Bill Burke" <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > > and<br />> > > > +<br />> > > > <br />> > > > <br />> > > > <br />> > > > Thanks again.<br />> > > > I need to go thru most documentation to get the hang of it. Will do.<br />> > > > I would love to contribute if u can get a php application in place, is<br />> > > > it<br />> > > > possible for you to direct me to documentation where there are hints<br />> > > > regarding the adapter logic?<br />> > > > <br />> > > > Kalinga<br />> > > > <br />> > > > <br />> > > > -----Original Message-----<br />> > > > From: "Stian Thorgersen" <stian@redhat.com><br />> > > > Sent: Tuesday, March 17, 2015 2:25pm<br />> > > > To: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > Cc: "Bill Burke" <bburke@redhat.com>, keycloak-user@lists.jboss.org<br />> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism<br />> > > > and<br />> > > > +<br />> > > > <br />> > > > <br />> > > > <br />> > > > <br />> > > > ----- Original Message -----<br />> > > > > From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > > To: "Bill Burke" <bburke@redhat.com><br />> > > > > Cc: keycloak-user@lists.jboss.org<br />> > > > > Sent: Tuesday, March 17, 2015 8:52:12 AM<br />> > > > > Subject: Re: [keycloak-user] Customization of authentication<br />> > > > > mechanism<br />> > > > > and<br />> > > > > +<br />> > > > > <br />> > > > > <br />> > > > > <br />> > > > > Thanks again for your quick feedbacks.<br />> > > > > <br />> > > > > Sorry I have a number of questions so I will be buzzing u guys<br />> > > > > regularly.<br />> > > > > <br />> > > > > I went through the document for the adapters;<br />> > > > > <br />> > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html<br />> > > > > <br />> > > > > <br />> > > > > <br />> > > > > So lets say I need a php application to be deployed using keycloak as<br />> > > > > my<br />> > > > > SSO<br />> > > > > manager application.<br />> > > > > <br />> > > > > So my basic requirement is that user should have the ability to<br />> > > > > signin<br />> > > > > via<br />> > > > > keycloak. I see that there are no dedicated adapters for php (I guess<br />> > > > > it<br />> > > > > must be in the works)<br />> > > > <br />> > > > We don't have a PHP adapter, and there's no immediate plans to create<br />> > > > one.<br />> > > > You could use:<br />> > > > <br />> > > > * JavaScript adapter<br />> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)<br />> > > > * Proxy<br />> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)<br />> > > > <br />> > > > Alternatively have a look on Google for instructions on using OAuth2<br />> > > > and/or<br />> > > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a<br />> > > > OpenID Connect Discovery endpoint, which should make it easier to use<br />> > > > other<br />> > > > OpenID Connect client libraries with Keycloak.<br />> > > > <br />> > > > If you're willing to contribute a PHP adapter then let me know and I<br />> > > > can<br />> > > > give<br />> > > > you more details on what would be required and some hints to get you<br />> > > > started.<br />> > > > <br />> > > > > <br />> > > > > <br />> > > > > <br />> > > > > Is there a guideline that I should follow if I am to do it manually?<br />> > > > > Basically what I should to do replicate what an adapter does (if I<br />> > > > > dont<br />> > > > > want<br />> > > > > to use any adapters or my apps are mobile based or deployed on<br />> > > > > containers<br />> > > > > hat keycloak does not have adapters for). Hope my question is clear.<br />> > > > > <br />> > > > > <br />> > > > > <br />> > > > > Kalinga<br />> > > > > <br />> > > > > <br />> > > > > <br />> > > > > <br />> > > > > -----Original Message-----<br />> > > > > From: "Bill Burke" <bburke@redhat.com><br />> > > > > Sent: Monday, March 16, 2015 7:46pm<br />> > > > > To: keycloak-user@lists.jboss.org<br />> > > > > Subject: Re: [keycloak-user] Customization of authentication<br />> > > > > mechanism<br />> > > > > and<br />> > > > > +<br />> > > > > <br />> > > > > <br />> > > > > <br />> > > > > Minimally you need to import username. Probably email too if you want<br />> > > > > to use any of our email-based features. With UserFederationProvider<br />> > > > > you<br />> > > > > can delegate to the third-party storage for other user<br />> > > > > attributes/metadata.<br />> > > > > <br />> > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:<br />> > > > > > We don't currently have a way to plugin your own authentication<br />> > > > > > mechanism,<br />> > > > > > but this is something we'll be adding.<br />> > > > > > <br />> > > > > > You have two choices when it comes to users, you can either use our<br />> > > > > > user<br />> > > > > > federation provider mechanism to sync between Keycloak and your<br />> > > > > > current<br />> > > > > > db. Or you can migrate the users fully to the Keycloak db. In<br />> > > > > > either<br />> > > > > > case<br />> > > > > > you have an option on overriding how passwords are verified (either<br />> > > > > > UserFederationProvider or by extending an existing UserProvider).<br />> > > > > > With<br />> > > > > > the<br />> > > > > > above authentication mechanism we'll most likely also make the<br />> > > > > > verification of passwords pluggable which would support different<br />> > > > > > hash<br />> > > > > > algorithms.<br />> > > > > > <br />> > > > > > ----- Original Message -----<br />> > > > > >> From: "Kalinga Dissanayake" <kalinga@leapset.com><br />> > > > > >> To: keycloak-user@lists.jboss.org<br />> > > > > >> Sent: Monday, March 16, 2015 10:48:55 AM<br />> > > > > >> Subject: [keycloak-user] Customization of authentication mechanism<br />> > > > > >> and<br />> > > > > >> +<br />> > > > > >> <br />> > > > > >> <br />> > > > > >> <br />> > > > > >> Guys,<br />> > > > > >> <br />> > > > > >> I need to understand the capability of keycloak with my<br />> > > > > >> requirement<br />> > > > > >> and<br />> > > > > >> to<br />> > > > > >> ensure that keycloak is scalable to meet my needs. My main<br />> > > > > >> requirement<br />> > > > > >> is<br />> > > > > >> to<br />> > > > > >> integrate keycloak to our system to support SSO hence I need to<br />> > > > > >> migrate<br />> > > > > >> my<br />> > > > > >> existing users. My main concerns;<br />> > > > > >> <br />> > > > > >> <br />> > > > > >> <br />> > > > > >> 1/ Customize authentication method.<br />> > > > > >> <br />> > > > > >> I need to authenticate users similar to what we currently use in<br />> > > > > >> our<br />> > > > > >> production system. In our system, users are identified by<br />> > > > > >> username,<br />> > > > > >> password<br />> > > > > >> and the pin.<br />> > > > > >> <br />> > > > > >> For instance;<br />> > > > > >> <br />> > > > > >> User -> jack, password -> pwd, pin -> 50000<br />> > > > > >> <br />> > > > > >> User should enter all three to login to the system.<br />> > > > > >> <br />> > > > > >> I went through the codebase and I saw that the Authentication<br />> > > > > >> Manager<br />> > > > > >> (which<br />> > > > > >> is a concrete class) does all the work inside keycloak. I managed<br />> > > > > >> to<br />> > > > > >> customize the frontend with ease, however, in order to support the<br />> > > > > >> pin<br />> > > > > >> in<br />> > > > > >> the backend seems like I have to customize the<br />> > > > > >> AuthenticationManager<br />> > > > > >> class<br />> > > > > >> (no direct SPIs).<br />> > > > > >> <br />> > > > > >> Although there is a link here;<br />> > > > > >> <br />> > > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html<br />> > > > > >> <br />> > > > > >> I cant seem to find anything here which matches the current code<br />> > > > > >> base<br />> > > > > >> (to<br />> > > > > >> via<br />> > > > > >> a new authentication method via spis) and the example has been<br />> > > > > >> removed.<br />> > > > > >> <br />> > > > > >> <br />> > > > > >> <br />> > > > > >> 2/ Customize password hashes.<br />> > > > > >> <br />> > > > > >> We have our own algorithm used to store password hashes. What<br />> > > > > >> should<br />> > > > > >> I<br />> > > > > >> do<br />> > > > > >> to<br />> > > > > >> add this to keycloak?<br />> > > > > >> <br />> > > > > >> I do not know the current passwords of the users already in our<br />> > > > > >> system,<br />> > > > > >> so<br />> > > > > >> when doing the migration i need keyclock to support the current<br />> > > > > >> algorithm<br />> > > > > >> we<br />> > > > > >> use. Can we plugin new hashing algorithms to meet my needs?<br />> > > > > >> <br />> > > > > >> <br />> > > > > >> <br />> > > > > >> Any other issues I might face?<br />> > > > > >> <br />> > > > > >> I feel key cloak is the right choice if the above two questions<br />> > > > > >> are<br />> > > > > >> answered.<br />> > > > > >> Please let me know.<br />> > > > > >> <br />> > > > > >> _______________________________________________<br />> > > > > >> keycloak-user mailing list<br />> > > > > >> keycloak-user@lists.jboss.org<br />> > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > > > _______________________________________________<br />> > > > > > keycloak-user mailing list<br />> > > > > > keycloak-user@lists.jboss.org<br />> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > > > <br />> > > > > <br />> > > > > --<br />> > > > > Bill Burke<br />> > > > > JBoss, a division of Red Hat<br />> > > > > http://bill.burkecentral.com<br />> > > > > _______________________________________________<br />> > > > > keycloak-user mailing list<br />> > > > > keycloak-user@lists.jboss.org<br />> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > > > <br />> > > > > _______________________________________________<br />> > > > > keycloak-user mailing list<br />> > > > > keycloak-user@lists.jboss.org<br />> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > > _______________________________________________<br />> > > keycloak-user mailing list<br />> > > keycloak-user@lists.jboss.org<br />> > > https://lists.jboss.org/mailman/listinfo/keycloak-user<br />> > ></div></font>