Thanx alot Dmitry!
Your explanation sounds pretty straightforward , I'll go about
implementing it soon and keep you up to date with feedback.
Cheers,
Vagelis
On 14/11/2018 05:02, Dmitry Telegin wrote:
Hello Vagelis,
Here's the outline of the solution as I see it:
- you'll need a custom authenticator, this could be either Script authenticator or
Java-based one (Authentication SPI [1]);
- you'll need to modify or supply your own login page. The easiest way is to use
Theme Resource JAR [2];
- next, you need to decide how would you store role secrets. I'd recommend to use the
same mechanism Keycloak uses to store passwords and private keys, namely Credentials (see
org.keycloak.credential.*);
- then, you should establish 1-to-1 association between roles and secrets. You can use
CredentialAttributeEntity (CREDENTIAL_ATTRIBUTE table) for that;
- or maybe better introduce your own entity [3] for that association, because
CREDENTIAL_ATTRIBUTE.VALUE doesn't have index, therefore queries will be slow;
- finally, you need a mechanism to manage your role secrets. If you want to use Admin
console GUI for that, you'll need to implement a REST endpoint [3] and your custom GUI
theme [4].
So probably you'll end up with 2-3 providers and a theme, packaged in a single JAR.
As always, I'd recommend my BeerCloak project [6] as a reference, since it contains
many of the above.
Feel free to ask questions, and good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
[2]
https://www.keycloak.org/docs/latest/server_development/index.html#_theme...
[3]
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
[4]
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
[5]
https://www.keycloak.org/docs/latest/server_development/index.html#_themes
[6]
https://github.com/dteleguin/beercloak
On Tue, 2018-11-13 at 19:07 +0200, Vagelis Savvas wrote:
> Hello,
> I'd like some advice on how to go about implementing the following
> custom authentication scenario:
> - A user besides the standard username and password optionally
> provides one more secret in the login screen.
> - The secret is associated with a realm role (one to one) by the realm
> admin, and if matched the user is dynamically added to the corresponding
> role.
> - If the secret isn't provided the user is normally authenticated and
> gets whatever roles he is assigned, like the default behavior
>
> Of course I would like to avoid implementing an SPI for that :-) but if
> it is not possible to avoid it I'd appreciate any insights and advice.
> I admit I haven't carefully read the relevant SPI extension docs yet,
> hoping that there is some way of doing it without an SPI extension.
>
> Cheers,
>
> Vagelis
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user