Keycloak 3.3.0.CR1 release approaching
by Stian Thorgersen
Keycloak 3.3.0.CR1 is scheduled to be released next week, so get your PRs
ready. There's a good chance it'll get delayed a bit though as we're
waiting for WildFly 11 CR1.
6 years, 8 months
token exchange
by Bill Burke
I've implemented a simple token exchange API [1] that allows you to
exchange an access token created for one client to another client. The
REST API follows the oauth token exchange api [2] very loosely.
subject_token: a keycloak access token
audience: takes a client id
It then converts the access token created for one client and converts it
to another. It lives under the token endpoint.
The security model is as follows:
* Authenticate calling client the same way as password grant.
* The calling client must have service account enabled
* Service account must have a realm role "token-exchanger" grant edto it
or, it must have a client role "token-exchanger" granted to it. This
exchanger client role is a role defined by the target client you are
exchanging the token to.
Is this a good security model? I'm thinking of not creating these roles
right now and to enable support for exchange would require defining the
roles specified above.
Future work would be to have an additional subject_issuer and
requested_issuer parameters. "subject_issuer" would match to a broker
alias, so you could exchange a facebook token for a keycloak realm
token. Same thing goes for "requested_issuer". This would allow you to
exchange a Keycloak token for a facebook token or some other registered
broker.
[1] https://github.com/keycloak/keycloak/pull/4362
[2] http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt
6 years, 8 months
Wait time for PR tests to complete
by Stian Thorgersen
How long are we all willing to wait for PR tests to complete?
Main reason I'm asking is that I'd like to add more tests to Travis
(adapter tests, maybe testing with some proper dbs, etc..).
6 years, 8 months
KEYCLOAK-3314 acr/amr support
by Jannik Hüls
Hi,
I would like to contribute to the Keycloak project and implement acr and amr support like described in KEYCLOAK-3314. (However, I don’t know whether this is a good place to start - but at least this is a recent topic very many customers are currently requesting ;-))
My idea would be to implement it in a way Youssef suggested in the comments. Thus every Authenticator of a specific Flow may get a "Authentication Method Reference Value”.
E.g. having two Authenticators ‘pwd’ and ‘top’:
The claim acr_values describes the desired level of an authentication request, thus using acr_values=pwd for the initial response should only trigger the pwd Authenticator and return acr=pwd and amr=[pwd].
A second authentication request using acr_values=otp should only trigger the otp authenticator, but return acr=otp and amr=[pwd,otp].
Please let me know if you want to implement support of acr and amr - even if my initial thoughts do not correspond to the ideas you have to implement this. :-)
Kind regards
Jannik
6 years, 8 months
Proposal of using existing authentication and authorization server on behalf of keycloak browser-based authentication
by 乗松隆志 / NORIMATSU,TAKASHI
Hello.
Previously, I had proposed the feature and its implementation of delegating authentication and authorization to an external existing server on behalf of keycloak's browser-based authentication mechanism, and had gotten advices that it is appropriate to use Identity Brokering for such the feature.
I've re-implemented this feature again by Identity Brokering. The description and implementation of this feature is mentioned below.
https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent
https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent/tree/maste...
It can delegate not only authentication but authorization(consent).
Kindly review it and provide us some comment and advices.
We would like to contribute this feature onto keycloak.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
---
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Thursday, June 29, 2017 6:23 PM
To: 乗松隆志 / NORIMATSU,TAKASHI
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication server on behalf of keycloak browser-based authentication
There's an SPI to implement your own custom identity brokering provider [1].
[1] https://github.com/keycloak/keycloak/blob/master/server-spi-private/sr...
On 29 June 2017 at 10:51, 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com> wrote:
I need to use the authentication server without OIDC/OAuth2/SAMLv2 implementation as an external IdP,
in order to integrate existing authentication system.
(some commercial products supports such the case)
I consulted identity broker's section in keycloak's manual below and found that if I use this feature the external IdP must support OIDC or SAMLv2.
https://keycloak.gitbooks.io/documentation/server_admin/topics/identity-b...
Therefore, I realized it by using redirect based authentication flows.
Can identity Brokering can support such the case?
Aside from this, I'd like to contribute it to Community extensions and examples.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
---
From: Stian Thorgersen [mailto:sthorger@redhat.com]
Sent: Tuesday, June 27, 2017 5:52 PM
To: 乗松隆志 / NORIMATSU,TAKASHI
Cc: keycloak-dev(a)lists.jboss.org
Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication server on behalf of keycloak browser-based authentication
I'm not in favour of adding this. If it's using redirect based authentication flows it should be done through identity brokering, not authentication flows. It's also a very complex example that we don't want to maintain. We've also in the process of moving all examples away from the main Keycloak repository into a separate quickstart repository.
On 27 June 2017 at 08:54, 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com> wrote:
Hello.
Previously, I had proposed the feature of delegating authentication to an external authentication server on behalf of keycloak's browser-based authentication mechanism.
I've integrated this feature to keycloak's "examples" packages and send PR (https://github.com/keycloak/keycloak/pull/4260).
Hope this PR is reviewed and merged as an example for combining some providers to customize keycloak.
Detailed description of this feature is mentioned below.
https://github.com/Hitachi/PoV-keycloak-authentication-delegation
I am now engaging in integrating this feature to keycloak as product-base default providers, but encounter technical problems about writing arquillian. Would someone tell me how to resolve this problem?
[Problem]
- I could not find how to run an external authentication server(application running on wildfly 10) during each arquillian test cases.
After resolving this problem and writing and running arquillian test cases, I'll send PR for this feature as product-base default providers.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6 years, 8 months
generic cli sso utility
by Bill Burke
I've developed a small command line utility around Keycloak Installed.
The idea is that this utility performs a login with keycloak to obtain
an access token. This utility saves the access and refresh token in a
file (similar to how ssh does in .ssh). Then bash scripts can be used to
export the access token as an environment variable so it can be used by
other command line utilities.
https://github.com/patriot1burke/keycloak/blob/master/adapters/oidc/insta...
https://github.com/patriot1burke/keycloak/tree/master/adapters/oidc/cli-sso
Eventually I'm thinking of creating a text/plain protocol with Keycloak
server so that launching a browser or cutting/pasting between the
command line window and browser isn't a requirement. It woudl be a plain
text challenge response protocol. This would require a bit more work as
it would require reworking all of our built in authenticators and
required action plugins.
6 years, 8 months
Extending Keycloak with custom integrations
by Rudresh Shashikant
Hi All,
first time posting in the mailing list. I have a client that needs the
following:
+ social integration for login
+ after successful login, need to be able to extend keycloak to talk to a
backend API and get additional information about this user
+ also need to use that additional information for an extra step involving
OTP (via SMS)
+ end result of this additional workflow is to associate the social login
of the user with their internal Enterprise userId
+----------------------------------+
| Assumption: Social login complete|
+----------------------------------+
User Keycloak Backend API SMS OTP
<---------------------
--------------------->
user code
---------------------->
<---------------------
user mobile#
-------------------------------------------------->
<----------------------------------------------------------------------
<--------------------------------------------------
------------------->
+---------------------+
| if successful, link |
| user code to |
| social login |
+---------------------+
I will proceed to go through the codebase and documentation now but have
started by reaching out to the community first in case anyone can point me
in the correct direction.
Thanks in advance.
Regards,
Rudy.
6 years, 8 months
account service REST API?
by Bill Burke
The AccountService class was originally intended to be both a browser
service as well as a REST API. Some endpoints on AccountService don't
work. Should I be fixing the Account Service for REST invocations? Are
we still indending the AccountService to be accessible via REST calls?
6 years, 8 months
