7:46 p.m.
Hi,
I've implemented Openshift Identity Provider for KeyCloak [1]. Would you be
interested in getting it upstream?
Cheers,
Bartosz.
[1] https://github.com/bartoszmajsak/keycloak-openshift-identity-provider
5:29 a.m.
Not sure to be honest. Strictly speaking it should be the other way around.
OpenShift should authenticate against Keycloak (or another IdP) at least
for on-prem installations. For OpenShift Online I see a use-case for this,
but in that case can it not just use the OIDC provider?
On 15 February 2017 at 02:46, Bartosz Majsak <bartosz(a)redhat.com> wrote:
Hi,
I've implemented Openshift Identity Provider for KeyCloak [1]. Would you be
interested in getting it upstream?
Cheers,
Bartosz.
[1] https://github.com/bartoszmajsak/keycloak-openshift-identity-provider
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:38 a.m.
OpenShift should authenticate against Keycloak (or another IdP) at least
for on-prem installations.
This is intended primarily for OSO I believe.
For OpenShift Online I see a use-case for this, but in that case can it not
just use the OIDC provider?
One issue I can already point out is that when using OIDC provider
authorization URL created by an AbstractOAuth2IdentityProvider will result
in bad request from OpenShift OAuth server, as it doesn’t accept
redirect_uri as a valid request parameter. At least when tested against
minishift.
On Wed, Feb 15, 2017 at 12:29 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Not sure to be honest. Strictly speaking it should be the other way
around. OpenShift should authenticate against Keycloak (or another IdP) at
least for on-prem installations. For OpenShift Online I see a use-case for
this, but in that case can it not just use the OIDC provider?
On 15 February 2017 at 02:46, Bartosz Majsak <bartosz(a)redhat.com> wrote:
> Hi,
>
> I've implemented Openshift Identity Provider for KeyCloak [1]. Would you
> be
> interested in getting it upstream?
>
> Cheers,
> Bartosz.
>
> [1] https://github.com/bartoszmajsak/keycloak-openshift-identity-provider
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8:30 a.m.
redirect_uri is part of the OAuth spec, so it should. Without a
redirect URI, the IDP is supposed to abort authentication as this URI is
validated. You don't want to deliver an access code to a rogue URL.
On 2/15/17 6:38 AM, Bartosz Majsak wrote:
OpenShift should authenticate against Keycloak (or another IdP) at
least
for on-prem installations.
This is intended primarily for OSO I believe.
For OpenShift Online I see a use-case for this, but in that case can it not
just use the OIDC provider?
One issue I can already point out is that when using OIDC provider
authorization URL created by an AbstractOAuth2IdentityProvider will result
in bad request from OpenShift OAuth server, as it doesn’t accept
redirect_uri as a valid request parameter. At least when tested against
minishift.
On Wed, Feb 15, 2017 at 12:29 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Not sure to be honest. Strictly speaking it should be the other way
> around. OpenShift should authenticate against Keycloak (or another IdP) at
> least for on-prem installations. For OpenShift Online I see a use-case for
> this, but in that case can it not just use the OIDC provider?
>
> On 15 February 2017 at 02:46, Bartosz Majsak <bartosz(a)redhat.com> wrote:
>
>> Hi,
>>
>> I've implemented Openshift Identity Provider for KeyCloak [1]. Would you
>> be
>> interested in getting it upstream?
>>
>> Cheers,
>> Bartosz.
>>
>> [1] https://github.com/bartoszmajsak/keycloak-openshift-identity-provider
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
12:57 p.m.
redirect_uri is part of the OAuth spec, so it should.
That’s totally correct. My bad, I must have been in a rabbit hole chasing
bunch of other issues in my code and somehow assumed that was the root
cause. In fact it works with and w/o it, as redirect uri is configured when
you register a client in Openshift [1].
But still, I cannot simply use OIDC as it adds openid to the scope and this
results in Openshift OAuth server complaining about the request - "Invalid
value: "openid": no scope handler found"
My implementation is based on AbstractOAuth2IdentityProvider and in fact it
only differs when it comes to extracting profile information (other changes
done in the project I shared in the opening mail are not feasible to make
it upstream).
To elaborate a bit on the use-case: our DevTools project will need to have
an access to user’s OSO resources such as projects and thus we need such
integration. We can live with SPI extension, but if you feel like it would
be beneficial to the project I’m more than happy to contribute this piece
(and improved based upon feedback from the PR).
Cheers,
Bartosz.
[1]
https://docs.openshift.org/latest/architecture/additional_concepts/authen...
On Wed, Feb 15, 2017 at 3:30 PM, Bill Burke <bburke(a)redhat.com> wrote:
redirect_uri is part of the OAuth spec, so it should. Without a
redirect URI, the IDP is supposed to abort authentication as this URI is
validated. You don't want to deliver an access code to a rogue URL.
On 2/15/17 6:38 AM, Bartosz Majsak wrote:
> OpenShift should authenticate against Keycloak (or another IdP) at least
> for on-prem installations.
>
> This is intended primarily for OSO I believe.
>
> For OpenShift Online I see a use-case for this, but in that case can it
not
> just use the OIDC provider?
>
> One issue I can already point out is that when using OIDC provider
> authorization URL created by an AbstractOAuth2IdentityProvider will
result
> in bad request from OpenShift OAuth server, as it doesn’t accept
> redirect_uri as a valid request parameter. At least when tested against
> minishift.
>
>
> On Wed, Feb 15, 2017 at 12:29 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Not sure to be honest. Strictly speaking it should be the other way
>> around. OpenShift should authenticate against Keycloak (or another IdP)
at
>> least for on-prem installations. For OpenShift Online I see a use-case
for
>> this, but in that case can it not just use the OIDC provider?
>>
>> On 15 February 2017 at 02:46, Bartosz Majsak <bartosz(a)redhat.com>
wrote:
>>
>>> Hi,
>>>
>>> I've implemented Openshift Identity Provider for KeyCloak [1]. Would
you
>>> be
>>> interested in getting it upstream?
>>>
>>> Cheers,
>>> Bartosz.
>>>
>>> [1] https://github.com/bartoszmajsak/keycloak-
openshift-identity-provider
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:38 a.m.
Once OpenShift v3 online is up and running will it allow users to register
clients so they can use it as a "social login provider"? If so sure let's
add it and have it by default point to OpenShift Online. We need
documentation added as well as testing though.
Testing:
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar...
Docs:
https://keycloak.gitbooks.io/documentation/content/server_admin/topics/id...
On 16 February 2017 at 19:57, Bartosz Majsak <bartosz(a)redhat.com> wrote:
redirect_uri is part of the OAuth spec, so it should.
That’s totally correct. My bad, I must have been in a rabbit hole chasing
bunch of other issues in my code and somehow assumed that was the root
cause. In fact it works with and w/o it, as redirect uri is configured when
you register a client in Openshift [1].
But still, I cannot simply use OIDC as it adds openid to the scope and this
results in Openshift OAuth server complaining about the request - "Invalid
value: "openid": no scope handler found"
My implementation is based on AbstractOAuth2IdentityProvider and in fact it
only differs when it comes to extracting profile information (other changes
done in the project I shared in the opening mail are not feasible to make
it upstream).
To elaborate a bit on the use-case: our DevTools project will need to have
an access to user’s OSO resources such as projects and thus we need such
integration. We can live with SPI extension, but if you feel like it would
be beneficial to the project I’m more than happy to contribute this piece
(and improved based upon feedback from the PR).
Cheers,
Bartosz.
[1]
https://docs.openshift.org/latest/architecture/additional_concepts/
authentication.html#oauth-clients
On Wed, Feb 15, 2017 at 3:30 PM, Bill Burke <bburke(a)redhat.com> wrote:
> redirect_uri is part of the OAuth spec, so it should. Without a
> redirect URI, the IDP is supposed to abort authentication as this URI is
> validated. You don't want to deliver an access code to a rogue URL.
>
>
> On 2/15/17 6:38 AM, Bartosz Majsak wrote:
> > OpenShift should authenticate against Keycloak (or another IdP) at
least
> > for on-prem installations.
> >
> > This is intended primarily for OSO I believe.
> >
> > For OpenShift Online I see a use-case for this, but in that case can it
> not
> > just use the OIDC provider?
> >
> > One issue I can already point out is that when using OIDC provider
> > authorization URL created by an AbstractOAuth2IdentityProvider will
> result
> > in bad request from OpenShift OAuth server, as it doesn’t accept
> > redirect_uri as a valid request parameter. At least when tested against
> > minishift.
> >
> >
> > On Wed, Feb 15, 2017 at 12:29 PM, Stian Thorgersen <
sthorger(a)redhat.com>
> > wrote:
> >
> >> Not sure to be honest. Strictly speaking it should be the other way
> >> around. OpenShift should authenticate against Keycloak (or another
IdP)
> at
> >> least for on-prem installations. For OpenShift Online I see a use-case
> for
> >> this, but in that case can it not just use the OIDC provider?
> >>
> >> On 15 February 2017 at 02:46, Bartosz Majsak <bartosz(a)redhat.com>
> wrote:
> >>
> >>> Hi,
> >>>
> >>> I've implemented Openshift Identity Provider for KeyCloak [1].
Would
> you
> >>> be
> >>> interested in getting it upstream?
> >>>
> >>> Cheers,
> >>> Bartosz.
> >>>
> >>> [1] https://github.com/bartoszmajsak/keycloak-
> openshift-identity-provider
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2866
days inactive
2871
days old
5 comments
3 participants
participants (3)
-
Bartosz Majsak -
Bill Burke -
Stian Thorgersen