Interesting, but maybe not that straightforward to do.
Depends on what flow you'd like to use. The ideal would be to use the web
redirect flow (authorization code flow). Using the web redirect flow you
can still display forms if needed. For instance if the ID token isn't valid
and you want to ask for username/password instead, the user needs to update
their profile, etc..
Alternative is to use the direct grant (aka resource owner credential
grant) flow to simply exchange the ID token retrieved from Google with
tokens from Keycloak.
In either case this can be done with custom authentication flow and
authenticator. Take a look at the server developer guide and our examples
for some inspiration there. It may also better fit in with identity
brokering, but that would probably require code changes on the Keycloak
side rather than just an extension.
On 12 September 2017 at 05:45, Summers Pittman <supittma(a)redhat.com> wrote:
TL;DR; How do I shove this :
I've been reading up on how to extend the KeyCloak service and I want to
write a (SPI? module? extension?) that let's me sign into my server
services using a Google ID Token. This will let me use the Google account
on my Android phone without ever having to open a web page. In fact if I
only have one Google account on my phone I can automatically log my user
into my app without ever having to prompt them.
However, I'm not really sure where to start. I've cloned the keycloak
repository and have been reviewing the code there and cross referencing
with the docs, but I think I need a little more "push" in the right
For reference, I've implemented this flow in both Node.js and Java before
without much trouble so I should be able to get a PoC up in an afternoon or
two once I know where to put the code.
keycloak-dev mailing list