Hello Vagelis,
Here's the outline of the solution as I see it:
- you'll need a custom authenticator, this could be either Script authenticator or
Java-based one (Authentication SPI [1]);
- you'll need to modify or supply your own login page. The easiest way is to use Theme
Resource JAR [2];
- next, you need to decide how would you store role secrets. I'd recommend to use the
same mechanism Keycloak uses to store passwords and private keys, namely Credentials (see
org.keycloak.credential.*);
- then, you should establish 1-to-1 association between roles and secrets. You can use
CredentialAttributeEntity (CREDENTIAL_ATTRIBUTE table) for that;
- or maybe better introduce your own entity [3] for that association, because
CREDENTIAL_ATTRIBUTE.VALUE doesn't have index, therefore queries will be slow;
- finally, you need a mechanism to manage your role secrets. If you want to use Admin
console GUI for that, you'll need to implement a REST endpoint [3] and your custom GUI
theme [4].
So probably you'll end up with 2-3 providers and a theme, packaged in a single JAR. As
always, I'd recommend my BeerCloak project [6] as a reference, since it contains many
of the above.
Feel free to ask questions, and good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
[2]
https://www.keycloak.org/docs/latest/server_development/index.html#_theme...
[3]
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
[4]
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
[5]
https://www.keycloak.org/docs/latest/server_development/index.html#_themes
[6]
https://github.com/dteleguin/beercloak
On Tue, 2018-11-13 at 19:07 +0200, Vagelis Savvas wrote:
Hello,
I'd like some advice on how to go about implementing the following
custom authentication scenario:
- A user besides the standard username and password optionally
provides one more secret in the login screen.
- The secret is associated with a realm role (one to one) by the realm
admin, and if matched the user is dynamically added to the corresponding
role.
- If the secret isn't provided the user is normally authenticated and
gets whatever roles he is assigned, like the default behavior
Of course I would like to avoid implementing an SPI for that :-) but if
it is not possible to avoid it I'd appreciate any insights and advice.
I admit I haven't carefully read the relevant SPI extension docs yet,
hoping that there is some way of doing it without an SPI extension.
Cheers,
Vagelis
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user