[Adding some info from the PR]
OIDC IdP initiated login is something I assume there are specifications for
already. So rather than doing a home-grown solution we should use that.
There's some mention in OIDC specs about third-party initiated logins (
).
I've not looked at it much, but it seems to cover this use-case.
On 16 March 2018 at 09:24, Adrian Gonzalez <adr_gonzalez(a)yahoo.fr> wrote:
Hello,
I would like to raise a thread on OIDC IDP initiated login (or OIDC third
party initiated login).
KC supports only SAML Clients for IDP Initiated login (
http://www.keycloak.org/docs/latest/server_admin/index.
html#idp-initiated-login).When I have an OIDC app, I cannot use this
feature.The need has been raised in KEYCLOAK-4509.
I created an ugly PR to implement this feature, my use case is described
in [1].In this implementation, I :
- configured IDP initiated SAML between KC and external IDP- and hacked
the code to test if the destination app was OIDC. If it was OIDC, then KC
makes a plain redirect to the RP app (see also [1]).This allows SAML
initiated IDP and conversion to OIDC app.
We could implement that by relying on OIDC 3rd party initiated login.See
[3] on how this *could* work.This would allow OIDC third party initiated
IDP for OIDC app (but this isn't enough for having SAML initiated IDP for
an OIDC app - perhaps there's a solution for handling both OIDC 3rd party ).
wdyt ?
Cheers,Adrian
[1]
https://github.com/keycloak/keycloak/pull/4965#
issuecomment-373578277.[2]
http://openid.net/specs/openid-
connect-core-1_0.html#ThirdPartyInitiatedLogin[3] ht
tps://github.com/keycloak/keycloak/pull/4965#issuecomment-373580906[4]
https://issues.jboss.org/browse/KEYCLOAK-4509
| | Garanti sans virus.
www.avg.com |
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev