10:56 p.m.
Hi,
I'm building a SSO service for my company (~1000 employee).
After investigation I decided to adopt Keycloak as the core component.
We are using Wechat Work as IM tool (https://work.weixin.qq.com/),
employee DB is based on its Contacts. So it's natural to integrate it as a
social login into Keycloak SSO service.
In the process of implementing the 'WechatIdentityProvider' and
'WechatIdentityProviderFactory' classes I encountered some trouble.
Just like Twitter / Google and other providers, some of Wechat Work's
OAuth2 flow is not aligned with standards. For example, the processing of
retrieving the access_token is relatively independent of other OAuth2 code
flow, the access_token is valid for 7200 seconds, its API is limited to be
called 2000 times per day for a single client. We are forced to cache a
global access_token for each client. I noticed that Keycloak is heavily
using Infinispan. My question is can I use it for caching access_token too?
Is it safe to do so? What is your recommendation?
And I'm working based on version 6.0.1 in standalone mode, is it
appropriate?
My main programming language is not Java by the way. I learned it ~10
years ago and Spring is new to me. So I'm still learning. It's of great
help to give relevant document links or code snippets, thanks!
Victor
10:17 a.m.
I managed to get infinispan running in customized identity provider, but
apart from predefined caches, I am not able to add new cache:
the error reads:
```
21:59:01,683 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]
) - failure description: {
"WFLYCTL0412: Required services that are not installed:" =>
["org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.naming.context.java.module.auth.auth.ModuleName is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.app.auth is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.Validator is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.concurrent.ee.context.config.auth.auth is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.discovery.\"keycloak-server.war\" is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.InAppClientContainer is
missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.app.auth.AppName is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.InstanceName is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.ValidatorFactory is
missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]"
]
}
```
How can I set up a new cache in infinispan? What is the proper steps to
create it?
kkzxak47 <kkzxak47(a)gmail.com> 于2019年7月25日周四 上午10:56写道:
Hi,
I'm building a SSO service for my company (~1000 employee).
After investigation I decided to adopt Keycloak as the core component.
We are using Wechat Work as IM tool (https://work.weixin.qq.com/),
employee DB is based on its Contacts. So it's natural to integrate it as a
social login into Keycloak SSO service.
In the process of implementing the 'WechatIdentityProvider' and
'WechatIdentityProviderFactory' classes I encountered some trouble.
Just like Twitter / Google and other providers, some of Wechat Work's
OAuth2 flow is not aligned with standards. For example, the processing of
retrieving the access_token is relatively independent of other OAuth2 code
flow, the access_token is valid for 7200 seconds, its API is limited to be
called 2000 times per day for a single client. We are forced to cache a
global access_token for each client. I noticed that Keycloak is heavily
using Infinispan. My question is can I use it for caching access_token too?
Is it safe to do so? What is your recommendation?
And I'm working based on version 6.0.1 in standalone mode, is it
appropriate?
My main programming language is not Java by the way. I learned it ~10
years ago and Spring is new to me. So I'm still learning. It's of great
help to give relevant document links or code snippets, thanks!
Victor
11:45 p.m.
Alright then. I think I will follow this thread myself to provide relevant
information for people who want to implement similar provider plugins in
the future.
So I have managed to implement a customized social login identity provider
alongside Twitter / Google and others. It's working just fine. You visit
one of the company apps, it will redirect you to keycloak. There you use
wechat work Idp to login into keycloak. Then keycloak would redirect you
back to the app. You have logged in. Perfect.
Now there is another question, instead of a link to click and show qr code
for login, is it possible to integrate that qrcode directly in the login
page of keycloak? I tried to use javascript to open a new page (I want both
username/password and qrcode available on the same page) and "click" the
"zocial-wechat-work" link and open that qrcode web page in a iFrame, but
instead of redirecting me back to the app I am visiting (which the original
link would do), it will put me in keycloak user panel after login.
I think my hack is going into a dead end, is it a better way to achieve
this? I.E. making "username/password" and a "3rd party qr code login"
available on the same login page.
kkzxak47 <kkzxak47(a)gmail.com> 于2019年7月26日周五 下午10:17写道:
I managed to get infinispan running in customized identity provider,
but
apart from predefined caches, I am not able to add new cache:
the error reads:
```
21:59:01,683 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]
) - failure description: {
"WFLYCTL0412: Required services that are not installed:" =>
["org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.naming.context.java.module.auth.auth.ModuleName is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.app.auth is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.Validator is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.concurrent.ee.context.config.auth.auth is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.discovery.\"keycloak-server.war\" is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.InAppClientContainer
is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.app.auth.AppName is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.InstanceName is
missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth is missing
[org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.naming.context.java.module.auth.auth.ValidatorFactory is
missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
"jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]"
]
}
```
How can I set up a new cache in infinispan? What is the proper steps to
create it?
kkzxak47 <kkzxak47(a)gmail.com> 于2019年7月25日周四 上午10:56写道:
> Hi,
> I'm building a SSO service for my company (~1000 employee).
> After investigation I decided to adopt Keycloak as the core component.
> We are using Wechat Work as IM tool (https://work.weixin.qq.com/),
> employee DB is based on its Contacts. So it's natural to integrate it as a
> social login into Keycloak SSO service.
> In the process of implementing the 'WechatIdentityProvider' and
> 'WechatIdentityProviderFactory' classes I encountered some trouble.
> Just like Twitter / Google and other providers, some of Wechat Work's
> OAuth2 flow is not aligned with standards. For example, the processing of
> retrieving the access_token is relatively independent of other OAuth2 code
> flow, the access_token is valid for 7200 seconds, its API is limited to be
> called 2000 times per day for a single client. We are forced to cache a
> global access_token for each client. I noticed that Keycloak is heavily
> using Infinispan. My question is can I use it for caching access_token too?
> Is it safe to do so? What is your recommendation?
> And I'm working based on version 6.0.1 in standalone mode, is it
> appropriate?
>
> My main programming language is not Java by the way. I learned it ~10
> years ago and Spring is new to me. So I'm still learning. It's of great
> help to give relevant document links or code snippets, thanks!
>
>
> Victor
>
2:50 a.m.
Fine, I think I found the way to hack two sessions on the same login page.
If you click the button "WechatWork" using javascript, your left side
username/password form will no longer work, because they share the same
session and the social login button will change your status. So I grabbed
the current uri `window.location.href`, change the `state` query parameter,
and invoke the social login button in a iFrame. Then left side
username/password form and right side social login will not share the same
session, they will both be valid.
BTW I have documented my experience on my blog
https://www.kkzxak47.com/2019/07/30/%e4%bd%bf%e7%94%a8%e4%bc%81%e4%b8%9a%....
(Well it's in Chinese, you may need google translate :)
I think I have finally achieved what I needed. I believe what I did here is
"Rubber Duck Debugging". Talking to a phantom audience and you get help
from yourself 😂.
Let me know If you need help in similar cases.
Victor.
kkzxak47 <kkzxak47(a)gmail.com> 于2019年8月2日周五 上午11:45写道:
Alright then. I think I will follow this thread myself to provide
relevant
information for people who want to implement similar provider plugins in
the future.
So I have managed to implement a customized social login identity provider
alongside Twitter / Google and others. It's working just fine. You visit
one of the company apps, it will redirect you to keycloak. There you use
wechat work Idp to login into keycloak. Then keycloak would redirect you
back to the app. You have logged in. Perfect.
Now there is another question, instead of a link to click and show qr code
for login, is it possible to integrate that qrcode directly in the login
page of keycloak? I tried to use javascript to open a new page (I want both
username/password and qrcode available on the same page) and "click" the
"zocial-wechat-work" link and open that qrcode web page in a iFrame, but
instead of redirecting me back to the app I am visiting (which the original
link would do), it will put me in keycloak user panel after login.
I think my hack is going into a dead end, is it a better way to achieve
this? I.E. making "username/password" and a "3rd party qr code
login"
available on the same login page.
kkzxak47 <kkzxak47(a)gmail.com> 于2019年7月26日周五 下午10:17写道:
> I managed to get infinispan running in customized identity provider, but
> apart from predefined caches, I am not able to add new cache:
> the error reads:
> ```
> 21:59:01,683 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
> ([("deployment" => "keycloak-server.war")]
> ) - failure description: {
> "WFLYCTL0412: Required services that are not installed:" =>
> ["org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso"],
> "WFLYCTL0180: Services with missing/unavailable dependencies" => [
> "jboss.naming.context.java.module.auth.auth.ModuleName is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.naming.context.java.app.auth is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.naming.context.java.module.auth.auth.Validator is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>
>
"jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.concurrent.ee.context.config.auth.auth is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.deployment.discovery.\"keycloak-server.war\" is
missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.naming.context.java.module.auth.auth.InAppClientContainer
> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is
missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.naming.context.java.app.auth.AppName is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.naming.context.java.module.auth.auth.InstanceName is
> missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.naming.context.java.module.auth.auth is missing
> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
> "jboss.naming.context.java.module.auth.auth.ValidatorFactory is
> missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>
>
"jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]"
> ]
> }
> ```
>
> How can I set up a new cache in infinispan? What is the proper steps to
> create it?
>
> kkzxak47 <kkzxak47(a)gmail.com> 于2019年7月25日周四 上午10:56写道:
>
>> Hi,
>> I'm building a SSO service for my company (~1000 employee).
>> After investigation I decided to adopt Keycloak as the core component.
>> We are using Wechat Work as IM tool (https://work.weixin.qq.com/),
>> employee DB is based on its Contacts. So it's natural to integrate it as a
>> social login into Keycloak SSO service.
>> In the process of implementing the 'WechatIdentityProvider' and
>> 'WechatIdentityProviderFactory' classes I encountered some trouble.
>> Just like Twitter / Google and other providers, some of Wechat Work's
>> OAuth2 flow is not aligned with standards. For example, the processing of
>> retrieving the access_token is relatively independent of other OAuth2 code
>> flow, the access_token is valid for 7200 seconds, its API is limited to be
>> called 2000 times per day for a single client. We are forced to cache a
>> global access_token for each client. I noticed that Keycloak is heavily
>> using Infinispan. My question is can I use it for caching access_token too?
>> Is it safe to do so? What is your recommendation?
>> And I'm working based on version 6.0.1 in standalone mode, is it
>> appropriate?
>>
>> My main programming language is not Java by the way. I learned it ~10
>> years ago and Spring is new to me. So I'm still learning. It's of great
>> help to give relevant document links or code snippets, thanks!
>>
>>
>> Victor
>>
>
1727
days inactive
1735
days old
3 comments
1 participants
participants (1)
-
kkzxak47