3:21 a.m.
Stian,
As per your previous email I should use the endpoint
/{realm}/protocols/openid-connect/token
However, I am using version 1.1.0.Final of keycloak. Seems like this is the production
ready release available, however this does not have the above endpoint [
/{realm}/protocols/openid-connect/token]
Instead Version 1.1.0 Final has this end point which seems to be doing the same
functionality;
/realms/demo/protocol/openid-connect/access/codes
So I have a few questions regarding the above;
1/ Is the /access/codes api endpoint same as /token endpoint. Where the latter is planned
to released in a future version? I compared the js adapters in 1.1.0 and 1.2.0.Beta. The
1.1.0 version uses /access/codes api endpoint while 1.2.0.Beta uses /token
2/ Similarly /{realm}/protocols/openid-connect/auth api end point has been changed. What
is the mapping endpoint for this in 1.1.0 version? Are there are other apis signatures
that are planned to be changed in the future?
3/ If I am using keycloak for an application which I am planning to roll out to production
soon, which version would u recommend?
4/ The above apis are for openid-connect. What are the endpoints available if the
authorization type is saml?
Extract from previous email <<Stian>>
> * Configure adapter using keycloak.json
> * Implement client side of OAuth2 Authorization Code Grant
> 1. Generate a state variable and store in a cookie or session
> 2. Redirect to
>
/{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> uuid>&redirect_uri=<callback uri>
> 3. Once the user has logged-in it's redirected back to <callback uri>
with
> a code query param
> 4. Use the code query param to obtain a token by posting to
> /{realm}/protocols/openid-connect/token the form-data should be
> grant_type=authorization_code&code=<code> you also need to include a http
> basic authorization header with client id and secret
Thanks.
Kalinga
-----Original Message-----
From: "Stian Thorgersen" <stian(a)redhat.com>
Sent: Tuesday, March 17, 2015 3:55pm
To: "Kalinga Dissanayake" <kalinga(a)leapset.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +
Source code for all adapters is in:
https://github.com/keycloak/keycloak/tree/master/integration
----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Tuesday, March 17, 2015 11:23:10 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
>
>
> Thanks Stian. :) Let me first go thru the resources I have on the website.
> The java source code of the adapter also must be present somewhere for me to
> have a look I guess?
>
> Kalinga
>
> -----Original Message-----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> Sent: Tuesday, March 17, 2015 3:14pm
> To: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> Cc: keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
>
>
>
> If you have any more questions feel free to ask, anyone contributing code
> gets extra questions answered ;)
>
>
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian(a)redhat.com>
> > To: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> > Cc: keycloak-user(a)lists.jboss.org
> > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> >
> > There is no hints regarding adapter logic, but what you'll need is:
> >
> * Configure adapter using keycloak.json
> * Implement client side of OAuth2 Authorization Code Grant
> 1. Generate a state variable and store in a cookie or session
> 2. Redirect to
>
/{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> uuid>&redirect_uri=<callback uri>
> 3. Once the user has logged-in it's redirected back to <callback uri>
with
> a code query param
> 4. Use the code query param to obtain a token by posting to
> /{realm}/protocols/openid-connect/token the form-data should be
> grant_type=authorization_code&code=<code> you also need to include a http
> basic authorization header with client id and secret
> >
> > Once you've done that you should have a token available to the application.
> > Then you have to deal with:
> >
> > * Refreshing token when expired
> > * Handle logout events from Keycloak
> > * Clustering issues
> > * If you want to support creating rest endpoints in PHP you also need to
> > support verifying the bearer token included in authorization header, this
> > can be done by checking the jws signature using the realm public key
> >
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> > > Cc: "Stian Thorgersen" <stian(a)redhat.com>, "Bill
Burke"
> > > <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > >
> > >
> > > * I can get a php application in place
> > >
> > > Kalinga
> > >
> > > -----Original Message-----
> > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> > > Sent: Tuesday, March 17, 2015 2:55pm
> > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > >
> > >
> > >
> > > Thanks again.
> > > I need to go thru most documentation to get the hang of it. Will do.
> > > I would love to contribute if u can get a php application in place, is it
> > > possible for you to direct me to documentation where there are hints
> > > regarding the adapter logic?
> > >
> > > Kalinga
> > >
> > >
> > > -----Original Message-----
> > > From: "Stian Thorgersen" <stian(a)redhat.com>
> > > Sent: Tuesday, March 17, 2015 2:25pm
> > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> > > Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > >
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com>
> > > > To: "Bill Burke" <bburke(a)redhat.com>
> > > > Cc: keycloak-user(a)lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication
mechanism
> > > > and
> > > > +
> > > >
> > > >
> > > >
> > > > Thanks again for your quick feedbacks.
> > > >
> > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > regularly.
> > > >
> > > > I went through the document for the adapters;
> > > >
> > > >
http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > >
> > > >
> > > >
> > > > So lets say I need a php application to be deployed using keycloak as
> > > > my
> > > > SSO
> > > > manager application.
> > > >
> > > > So my basic requirement is that user should have the ability to
signin
> > > > via
> > > > keycloak. I see that there are no dedicated adapters for php (I guess
> > > > it
> > > > must be in the works)
> > >
> > > We don't have a PHP adapter, and there's no immediate plans to
create
> > > one.
> > > You could use:
> > >
> > > * JavaScript adapter
> > >
(http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#...)
> > > * Proxy
> > >
(http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > >
> > > Alternatively have a look on Google for instructions on using OAuth2
> > > and/or
> > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have
a
> > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > other
> > > OpenID Connect client libraries with Keycloak.
> > >
> > > If you're willing to contribute a PHP adapter then let me know and I
can
> > > give
> > > you more details on what would be required and some hints to get you
> > > started.
> > >
> > > >
> > > >
> > > >
> > > > Is there a guideline that I should follow if I am to do it manually?
> > > > Basically what I should to do replicate what an adapter does (if I
dont
> > > > want
> > > > to use any adapters or my apps are mobile based or deployed on
> > > > containers
> > > > hat keycloak does not have adapters for). Hope my question is clear.
> > > >
> > > >
> > > >
> > > > Kalinga
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: "Bill Burke" <bburke(a)redhat.com>
> > > > Sent: Monday, March 16, 2015 7:46pm
> > > > To: keycloak-user(a)lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication
mechanism
> > > > and
> > > > +
> > > >
> > > >
> > > >
> > > > Minimally you need to import username. Probably email too if you want
> > > > to use any of our email-based features. With UserFederationProvider
you
> > > > can delegate to the third-party storage for other user
> > > > attributes/metadata.
> > > >
> > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > We don't currently have a way to plugin your own
authentication
> > > > > mechanism,
> > > > > but this is something we'll be adding.
> > > > >
> > > > > You have two choices when it comes to users, you can either use
our
> > > > > user
> > > > > federation provider mechanism to sync between Keycloak and your
> > > > > current
> > > > > db. Or you can migrate the users fully to the Keycloak db. In
either
> > > > > case
> > > > > you have an option on overriding how passwords are verified
(either
> > > > > UserFederationProvider or by extending an existing
UserProvider).
> > > > > With
> > > > > the
> > > > > above authentication mechanism we'll most likely also make
the
> > > > > verification of passwords pluggable which would support
different
> > > > > hash
> > > > > algorithms.
> > > > >
> > > > > ----- Original Message -----
> > > > >> From: "Kalinga Dissanayake"
<kalinga(a)leapset.com>
> > > > >> To: keycloak-user(a)lists.jboss.org
> > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > >> Subject: [keycloak-user] Customization of authentication
mechanism
> > > > >> and
> > > > >> +
> > > > >>
> > > > >>
> > > > >>
> > > > >> Guys,
> > > > >>
> > > > >> I need to understand the capability of keycloak with my
requirement
> > > > >> and
> > > > >> to
> > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > >> requirement
> > > > >> is
> > > > >> to
> > > > >> integrate keycloak to our system to support SSO hence I need
to
> > > > >> migrate
> > > > >> my
> > > > >> existing users. My main concerns;
> > > > >>
> > > > >>
> > > > >>
> > > > >> 1/ Customize authentication method.
> > > > >>
> > > > >> I need to authenticate users similar to what we currently use
in our
> > > > >> production system. In our system, users are identified by
username,
> > > > >> password
> > > > >> and the pin.
> > > > >>
> > > > >> For instance;
> > > > >>
> > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > >>
> > > > >> User should enter all three to login to the system.
> > > > >>
> > > > >> I went through the codebase and I saw that the
Authentication
> > > > >> Manager
> > > > >> (which
> > > > >> is a concrete class) does all the work inside keycloak. I
managed to
> > > > >> customize the frontend with ease, however, in order to
support the
> > > > >> pin
> > > > >> in
> > > > >> the backend seems like I have to customize the
AuthenticationManager
> > > > >> class
> > > > >> (no direct SPIs).
> > > > >>
> > > > >> Although there is a link here;
> > > > >>
> > > > >>
http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat...
> > > > >>
> > > > >> I cant seem to find anything here which matches the current
code
> > > > >> base
> > > > >> (to
> > > > >> via
> > > > >> a new authentication method via spis) and the example has
been
> > > > >> removed.
> > > > >>
> > > > >>
> > > > >>
> > > > >> 2/ Customize password hashes.
> > > > >>
> > > > >> We have our own algorithm used to store password hashes. What
should
> > > > >> I
> > > > >> do
> > > > >> to
> > > > >> add this to keycloak?
> > > > >>
> > > > >> I do not know the current passwords of the users already in
our
> > > > >> system,
> > > > >> so
> > > > >> when doing the migration i need keyclock to support the
current
> > > > >> algorithm
> > > > >> we
> > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > >>
> > > > >>
> > > > >>
> > > > >> Any other issues I might face?
> > > > >>
> > > > >> I feel key cloak is the right choice if the above two
questions are
> > > > >> answered.
> > > > >> Please let me know.
> > > > >>
> > > > >> _______________________________________________
> > > > >> keycloak-user mailing list
> > > > >> keycloak-user(a)lists.jboss.org
> > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user(a)lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > > >
> > > > --
> > > > Bill Burke
> > > > JBoss, a division of Red Hat
> > > > http://bill.burkecentral.com
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >