3:07 p.m.
Hello,
I’m evaluating Keycloak as an identity provider for a few Play Framework projects using
pac4j-play as the OpenID Connect client.
There isn’t an adapter for Play so I thought I could leverage the discovery endpoint with
my client to authenticate. I wasn’t able to find any details on this in the documentation
but after a little bit of digging I found the "well-known" uri that I configured
with our client to authenticate successfully with our Keycloak instance.
So because I couldn’t find much on this I was curious if this approach for authentication
is recommended or supported. Also, what is the difference in action between logging out
with the “end_session_endpoint” provided by the discovery metadata versus the logout url
in the documentation:
“http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri”
?
thanks,
Bruce
***NOTICE*** This e-mail and/or the attached documents may contain technical data within
the definition of the International Traffic in Arms Regulations and/or Export
Administration Regulations, and are subject to the export control laws of the U.S.
Government. Transfer of this data by any means to a foreign person, whether in the United
States or abroad, without an export license or other approval from the U.S. Department of
State or Commerce, as applicable, is prohibited. No portion of this e-mail and/or
correspondence its attachment(s) may be reproduced without written consent of Mainstream
Engineering Corporation. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is authorized to state
them to be the views of any such entity.
This electronic message (including any attachments) contains information that is
privileged, confidential, and proprietary. If you are not the intended recipient, you are
hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received
this electronic message in error, please immediately contact the sender and destroy the
material in its entirety, whether in electronic or hard copy format. Although Mainstream
Engineering Corporation has taken reasonable precautions to ensure no viruses are present
in this email, Mainstream accepts no responsibility for any loss or damage arising from
the use of this email or attachments.
3:10 p.m.
We still need to make sure we're following the standard. I think Stian
is working on that. Also, you need to make sure you're using SSL/HTTPS
and that your client has a truststore set up for the .well-known
endpoint. Otherwise, you can't be guaranteed that the information you
are getting (keys, endpoints, etc.) is valid.
On 9/28/2015 4:07 PM, Bruce Shaw wrote:
Hello,
I’m evaluating Keycloak as an identity provider for a few Play Framework projects using
pac4j-play as the OpenID Connect client.
There isn’t an adapter for Play so I thought I could leverage the discovery endpoint with
my client to authenticate. I wasn’t able to find any details on this in the documentation
but after a little bit of digging I found the "well-known" uri that I configured
with our client to authenticate successfully with our Keycloak instance.
So because I couldn’t find much on this I was curious if this approach for authentication
is recommended or supported. Also, what is the difference in action between logging out
with the “end_session_endpoint” provided by the discovery metadata versus the logout url
in the documentation:
“http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri”
?
thanks,
Bruce
***NOTICE*** This e-mail and/or the attached documents may contain technical data within
the definition of the International Traffic in Arms Regulations and/or Export
Administration Regulations, and are subject to the export control laws of the U.S.
Government. Transfer of this data by any means to a foreign person, whether in the United
States or abroad, without an export license or other approval from the U.S. Department of
State or Commerce, as applicable, is prohibited. No portion of this e-mail and/or
correspondence its attachment(s) may be reproduced without written consent of Mainstream
Engineering Corporation. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is authorized to state
them to be the views of any such entity.
This electronic message (including any attachments) contains information that is
privileged, confidential, and proprietary. If you are not the intended recipient, you are
hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received
this electronic message in error, please immediately contact the sender and destroy the
material in its entirety, whether in electronic or hard copy format. Although Mainstream
Engineering Corporation has taken reasonable precautions to ensure no viruses are present
in this email, Mainstream accepts no responsibility for any loss or damage arising from
the use of this email or attachments.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3144
days inactive
3144
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Bruce Shaw