Re: [keycloak-dev] Async authentication example

On 12 July 2017 at 12:24, Hynek Mlnarik <hmlnarik(a)redhat.com&gt; wrote: > > Great! > > For 7.2 and on, action tokens approach is the way, and actually a > quickstart with that has been implemented [1]. Instead of an authenticator > and note manipulation that are necessary for 7.1, it employs required > actions (when action token is used, it just removes the custom required > action). > > It uses somewhat similar approach to the SET but currently with a two > tokens - one created and signed by Keycloak used to reenter the > authentication flow when the app completes its flow, and the other signed by > the app to have certain chance that the response has indeed been generated > by the correct app. For details see README.md. Action tokens may work in some situations, but may not always work. If there is a specific protocol being used (for example BankID https://www.bankid.com/) it may demand a certain callback format in which case we would have to implement a custom realm resource to handle the callback. Hynek - could you create a fork of my example that uses action tokens? > > > [1] https://github.com/keycloak/keycloak-quickstarts/pull/37 > > On Tue, Jul 11, 2017 at 7:10 PM, Pedro Igor Silva <psilva(a)redhat.com&gt; > wrote: >> >> Really nice ! >> >> On Tue, Jul 11, 2017 at 9:29 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >> > I gave it a go and implemented an "async" authentication example. It's >> > rather simple what happens is: >> > >> > * User authenticates with username only >> > * Then a "waiting" page is displayed, which is waiting for some >> > external >> > callback. This could be an app or whatever that verifies the user then >> > sends the callback. In the example a CURL command is printed on sysout >> > for >> > the server which you can run to "simulate" the callback from the app. >> > * Once the callback is received the user is authenticated without >> > filling >> > in password or any other credentials in the main browser >> > >> >> Maybe you can use a SET [1], which is basically a JWT, in order to >> communicate authentication events between parties. For instance, send >> additional data to the external callback about the authentication context >> and receive back from the external callback information on how to proceed >> with the authentication. >> >> [1] https://tools.ietf.org/html/draft-hunt-idevent-token-03 >> >> >> > >> > https://github.com/stianst/authenticator-example >> > >> > Check it out here: >> > https://youtu.be/C09BpNIf4v8 >> > >> > It's a bit hacky in the way it's implemented: >> > >> > * Using notes for "callback" is a bit strange maybe? >> > * Had to use custom realm resource for callback endpoint. Is this >> > strange? >> > * Probably won't work for cross DC, but in 7.2 Hynek has stuff that >> > does >> > that >> > * No way to push change to browser, so have to pull every 2 seconds. >> > Maybe >> > we could add a simple authentication event feature that uses websockets >> > and >> > a small auth js lib to do the job of notification? >> > _______________________________________________ >> > keycloak-dev mailing list >> > keycloak-dev(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > -- > > --Hynek