1:48 a.m.
Hi ,
Instead of Existing one step authentication(user/pass), We need custom certificate based
authentication which is 2-step Authentication as below:
1. Bypass Login screen , instead generate nonce(UUID) and provide intermediate
Endpoint URL for Certificate based authentication.
2. Client will come to Certificate based authentication with its certificate and
encrypted UUID. After Validating Encrypted UUID
and Client certificate server should generate "Access code".
We have gone through 1.3 Beta source code and realised to achieve this following code
changes are needed
1. Changes in TokenService class (login method) to bypass login form and generate
UUID.
2. Preserve UUID and url parameters obtained during the call in TokenManager.
3. Redirect to custom_endpoint where client will submit its certificate and encrypted
nonce.
This end point will generate "access Code" once cert authentication
completed.
It looks we need to make changes in some of core files like
TokenService,TokenManager,OAuthFlows,...
Can you please let us know if there is any we can achieve this customization just by
hooking our code
(without modifying).
Thanks,
Lakshmi Narayana V
4:09 a.m.
Afraid at the moment we don't have any proper way to hook into this, but we are
planning to add this in the future.
I'm assuming you're authenticating clients, not users? If so that's something
we plan to add support for at some point.
We'll probably add two extension points, one for adding custom login for users (for
example a hardware multi-factor auth or even fingerprint scanner) and another for
authenticating clients (certificate, jwt, etc.).
----- Original Message -----
From: "Lakshmi Narayana VADALI (lvadali)"
<lvadali(a)cisco.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 9 September, 2014 7:48:44 AM
Subject: [keycloak-dev] Customising Keycloak Authentication flow
Hi ,
Instead of Existing one step authentication(user/pass), We need custom
certificate based authentication which is 2-step Authentication as below:
1. Bypass Login screen , instead generate nonce(UUID) and provide
intermediate Endpoint URL for Certificate based authentication.
2. Client will come to Certificate based authentication with its certificate
and encrypted UUID. After Validating Encrypted UUID
and Client certificate server should generate “Access code”.
We have gone through 1.3 Beta source code and realised to achieve this
following code changes are needed
1. Changes in TokenService class (login method) to bypass login form and
generate UUID.
2. Preserve UUID and url parameters obtained during the call in TokenManager
.
3. Redirect to custom_endpoint where client will submit its certificate and
encrypted nonce.
This end point will generate “access Code” once cert authentication
completed.
It looks we need to make changes in some of core files like
TokenService,TokenManager,OAuthFlows,...
Can you please let us know if there is any we can achieve this customization
just by hooking our code
(without modifying).
Thanks,
Lakshmi Narayana V
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:32 a.m.
Thanks for the quick reply.
We are planning to authenticate a device(client) which will come with its certificate. It
seems two extension points may not work for the requirement we have.
The cert implementation for keycloak that is planned may not work for us, as we need to
handle this authentication differently.
For, e.g., we can’t configure the Realm client’s trust store to contain certificates
from all clients. In absence of this we will
need the client to provide its certificate which is signed by a specific CA root
authority and also establish that it owns the private key
for this certificate.
Can you please help us understand
1. what kind of hooks are planned and when they are planned?
2. Will the hook help in building 2-step authentication we need?(2-step authentication
explained in my initial mail)
Thanks,
Lakshmi Narayana V
-----Original Message-----
From: Stian Thorgersen [mailto:stian@redhat.com]
Sent: Tuesday, September 09, 2014 1:39 PM
To: Lakshmi Narayana VADALI (lvadali)
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Customising Keycloak Authentication flow
Afraid at the moment we don't have any proper way to hook into this, but we are
planning to add this in the future.
I'm assuming you're authenticating clients, not users? If so that's something
we plan to add support for at some point.
We'll probably add two extension points, one for adding custom login for users (for
example a hardware multi-factor auth or even fingerprint scanner) and another for
authenticating clients (certificate, jwt, etc.).
----- Original Message -----
From: "Lakshmi Narayana VADALI (lvadali)"
<lvadali(a)cisco.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 9 September, 2014 7:48:44 AM
Subject: [keycloak-dev] Customising Keycloak Authentication flow
Hi ,
Instead of Existing one step authentication(user/pass), We need custom
certificate based authentication which is 2-step Authentication as below:
1. Bypass Login screen , instead generate nonce(UUID) and provide
intermediate Endpoint URL for Certificate based authentication.
2. Client will come to Certificate based authentication with its
certificate and encrypted UUID. After Validating Encrypted UUID
and Client certificate server should generate “Access code”.
We have gone through 1.3 Beta source code and realised to achieve this
following code changes are needed
1. Changes in TokenService class (login method) to bypass login form
and generate UUID.
2. Preserve UUID and url parameters obtained during the call in
TokenManager .
3. Redirect to custom_endpoint where client will submit its
certificate and encrypted nonce.
This end point will generate “access Code” once cert authentication
completed.
It looks we need to make changes in some of core files like
TokenService,TokenManager,OAuthFlows,...
Can you please let us know if there is any we can achieve this
customization just by hooking our code
(without modifying).
Thanks,
Lakshmi Narayana V
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
5:43 a.m.
----- Original Message -----
From: "Lakshmi Narayana VADALI (lvadali)"
<lvadali(a)cisco.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 9 September, 2014 11:32:03 AM
Subject: RE: [keycloak-dev] Customising Keycloak Authentication flow
Thanks for the quick reply.
We are planning to authenticate a device(client) which will come with its
certificate. It seems two extension points may not work for the requirement
we have.
The cert implementation for keycloak that is planned may not work for us, as
we need to handle this authentication differently.
For, e.g., we can’t configure the Realm client’s trust store to contain
certificates from all clients. In absence of this we will
need the client to provide its certificate which is signed by a specific CA
root authority and also establish that it owns the private key
for this certificate.
Can you please help us understand
1. what kind of hooks are planned and when they are planned?
We don't know how it'll look like yet. Hopefully this is something we can add by
the end of the year.
In the mean-time I'd suggest you:
1. Create a new jaxrs class with two methods, one that returns the nounce and another that
authenticates the client, look at TokenService as a reference for this, specifically at
TokenService.grantAccessToken.
2. Extend KeycloakApplication to add your new class
3. Create your own auth-server war - see 'project-integrations/aerogear-ups' as a
reference for this
That should allow you to add the functionality you need without having to modify existing
Keycloak code.
2. Will the hook help in building 2-step authentication we
need?(2-step
authentication explained in my initial mail)
Yes, we'll include your use-case when designing the hooks
Thanks,
Lakshmi Narayana V
-----Original Message-----
From: Stian Thorgersen [mailto:stian@redhat.com]
Sent: Tuesday, September 09, 2014 1:39 PM
To: Lakshmi Narayana VADALI (lvadali)
Cc: keycloak-dev(a)lists.jboss.org
Subject: Re: [keycloak-dev] Customising Keycloak Authentication flow
Afraid at the moment we don't have any proper way to hook into this, but we
are planning to add this in the future.
I'm assuming you're authenticating clients, not users? If so that's
something
we plan to add support for at some point.
We'll probably add two extension points, one for adding custom login for
users (for example a hardware multi-factor auth or even fingerprint scanner)
and another for authenticating clients (certificate, jwt, etc.).
----- Original Message -----
> From: "Lakshmi Narayana VADALI (lvadali)" <lvadali(a)cisco.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 9 September, 2014 7:48:44 AM
> Subject: [keycloak-dev] Customising Keycloak Authentication flow
>
>
>
> Hi ,
>
>
>
> Instead of Existing one step authentication(user/pass), We need custom
> certificate based authentication which is 2-step Authentication as below:
>
> 1. Bypass Login screen , instead generate nonce(UUID) and provide
> intermediate Endpoint URL for Certificate based authentication.
>
> 2. Client will come to Certificate based authentication with its
> certificate and encrypted UUID. After Validating Encrypted UUID
>
> and Client certificate server should generate “Access code”.
>
>
>
> We have gone through 1.3 Beta source code and realised to achieve this
> following code changes are needed
>
> 1. Changes in TokenService class (login method) to bypass login form
> and generate UUID.
>
> 2. Preserve UUID and url parameters obtained during the call in
> TokenManager .
>
> 3. Redirect to custom_endpoint where client will submit its
> certificate and encrypted nonce.
>
> This end point will generate “access Code” once cert authentication
> completed.
>
>
>
> It looks we need to make changes in some of core files like
> TokenService,TokenManager,OAuthFlows,...
>
> Can you please let us know if there is any we can achieve this
> customization just by hooking our code
>
> (without modifying).
>
>
>
> Thanks,
>
> Lakshmi Narayana V
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
3514
days inactive
3514
days old
3 comments
2 participants
participants (2)
-
Lakshmi Narayana VADALI (lvadali) -
Stian Thorgersen