Re: [keycloak-dev] PicketLink and KC Integration

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, July 25, 2014 10:44:47 PM Subject: Re: [keycloak-dev] PicketLink and KC Integration Good work. This is precisely the type of integration with Picketlink I was hoping for. On 7/25/2014 5:58 PM, Pedro Igor Silva wrote: > Another aspect is the possibility to provide a deep integration with a > specific IdP in order to properly manage tokens by a consumer > application. This is specially useful when your application does not > use KC adapter, but only keycloak.js or something else to update and > send tokens in every single request to the server. > This could work for Bearer token requests, but not for the oauth redirection protocol. Unless Picketlink has a pure-servlet authentication SPI that we could write an adapter for.

I want to write a pure-servlet adapter and a pure-jaxrs adapter just haven't had the time yet. BTW, take a look at Ubefire security SPIs. It might be interesting to get them to move it to Picketlink. Then Picketlink could have a pure-servlet, portable authentication layer. I don't know anything about Spring Security, but maybe this is in the same area.

> With that in mind, I would like to know if we can provide the KC > related implementation from KC itself. The motivation is that in > order to properly handle KC tokens we need some KC libraries and I > think the best place to put this is in KC. Any change to API or > something we get during KC build. KC users looking for PL integration > just get it from KC OOTB. > I don't care where the code lives. Up to you. We can maintain it so long as you provide some unit tests. (it would go under integration/)

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com