On Apr 21, 2015, at 1:06 PM, Bill Burke <bburke(a)redhat.com>
wrote:
FYI: Generic OIDC is not enough. OIDC does not have a SP logout callback. So, the admin
console would not be able to remotely logout the user. There's also a few other
events that the admin console can push to SPs, i.e. Not-before policies, and later on,
black/white lists.
On 4/21/2015 11:19 AM, Scott Rossillo wrote:
> Hi Bill,
>
> I’ll try to get some code out soon so we can review. The adapter core does take care
of a lot of the integration with KC and verification, which can be reused. The main
component from adapter core that’s helpful is RequestAuthenticator, which means I'll
implement a few abstract methods, and provide implementations of HttpFacade and
AdapterTokenStore.
>
> The main Spring classes for authentication are an AuthenticationProcessingFilter and
an AuthenticationProvider. The AuthenticationProcessingFilter will delegate authentication
and authorization requests to an implementation of RequestAuthenticator and the
AuthenticationProcessingFilter basically votes on whether or not to accept the
authentication.
>
> If I was going to do this without RequestAuthenticator, I may as well write a generic
Spring Security OIDC client, but that would be ton more work and would be more difficult
to configure. I like how the adapters let users get started quickly, by adding a library
and inserting the generated keycloak.json file into their deployment. The main goal of the
Kyecloak Spring Security adapter is to eliminate the requirement that we use web.xml
security constraints and the need for a container specific adapter.
>
> Spring Security is a lot more flexible than the servlet security spec on what
endpoints should be protected and how. A lot of Spring Security users are accustomed to
that flexibility and I'd like to bring that to Keycloak while maintaining your adapter
deployment simplicity.
>
> ~ Scott
>
>
>> On Apr 21, 2015, at 10:53 AM, Bill Burke <bburke(a)redhat.com> wrote:
>>
>> FYI, Our common adapter module is a bit convoluted as it is shared
>> between different versions of Jetty, Tomcat, JBoss, and Wildfly who all
>> do security a bit differently. A pure Spring adapter would be great,
>> but we have zero experience with Spring Security. I've done some
>> component integration work with core Spring awhile back, but nothing for
>> years.
>>
>> On 4/21/2015 2:47 AM, Stian Thorgersen wrote:
>>> It's been years since I last looked at Spring, so I'm not the person
to ask ;)
>>>
>>> It sounds like the pure Spring Security Adapter is the better option. You
should at try to use code from integration/adapter-core module as that's used as the
core for all our current Java based adapters. Also, it should be configurable by supplying
a keycloak.json file.
>>>
>>> ----- Original Message -----
>>>> From: "Scott Rossillo" <srossillo(a)smartling.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: "keycloak-dev" <keycloak-dev(a)lists.jboss.org>
>>>> Sent: Tuesday, 21 April, 2015 1:02:28 AM
>>>> Subject: Re: [keycloak-dev] Spring Security for Keycloak Contribution
>>>>
>>>> Hi,
>>>>
>>>> There are two different approaches here. The project I mentioned still
relies
>>>> on a Keycloak adapter being present in the servlet container. It’s not
quite
>>>> the final product I need but it would be useful to people who can
declare
>>>> their protected resources in web.xml.
>>>>
>>>> What I’m working on now is a Keycloak adapter-less Spring Security
>>>> integration. Basically, it’s a Keycloak Spring Security Adapter that can
>>>> stand on it’s own and protect resources based on the Spring Security
>>>> configuration. It’s this latter implementation that I believe has the
most
>>>> value.
>>>>
>>>> Question for you: Do you want to see both approaches covered or is one
>>>> approach more in line with the Keycloak project’s goals?
>>>>
>>>> In my option, the latter, Keycloak Spring Security Adapter, is of more
value,
>>>> but please let me know your thoughts.
>>>>
>>>> Thanks in advance,
>>>> Scott
>>>>
>>>>
>>>>> On Apr 16, 2015, at 9:24 AM, Stian Thorgersen
<stian(a)redhat.com> wrote:
>>>>>
>>>>> If you can prepare a PR for it that'd be great. Please add a
>>>>> 'spring-security' module within the integration module where
all the other
>>>>> adapters live. Also, to create a distribution archive for the
adapter
>>>>> please add a module inside distribution that packages it up (look at
>>>>> existing modules there for a reference).
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Scott Rossillo" <srossillo(a)smartling.com>
>>>>>> To: "keycloak-dev"
<keycloak-dev(a)lists.jboss.org>
>>>>>> Sent: Thursday, April 16, 2015 3:08:13 PM
>>>>>> Subject: [keycloak-dev] Spring Security for Keycloak
Contribution
>>>>>>
>>>>>> Good morning,
>>>>>>
>>>>>> As I mentioned a few days ago on the users mailing list, we
developed an
>>>>>> integration between the Keycloak Adapter and Spring Security.
The
>>>>>> announcement can be found here:
>>>>>>
>>>>>>
http://lists.jboss.org/pipermail/keycloak-user/2015-April/001992.html
>>>>>>
>>>>>> The code is here:
>>>>>>
http://smartling.github.io/spring-security-keycloak/
>>>>>> Would you be interested in either:
>>>>>> 1. Us contributing the code to the Keycloak project or
>>>>>> 2. You integrating the code into the Keycloak project
>>>>>>
>>>>>> We released the code under the Apache 2.0 license to be
compatible with
>>>>>> the
>>>>>> Keycloak project. Let me know your thoughts.
>>>>>> Best,
>>>>>> Scott
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com