From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; To: keycloak-user(a)lists.jboss.org Sent: Monday, March 16, 2015 10:48:55 AM Subject: [keycloak-user] Customization of authentication mechanism and + Guys, I need to understand the capability of keycloak with my requirement and to ensure that keycloak is scalable to meet my needs. My main requirement is to integrate keycloak to our system to support SSO hence I need to migrate my existing users. My main concerns; 1/ Customize authentication method. I need to authenticate users similar to what we currently use in our production system. In our system, users are identified by username, password and the pin. For instance; User -> jack, password -> pwd, pin -> 50000 User should enter all three to login to the system. I went through the codebase and I saw that the Authentication Manager (which is a concrete class) does all the work inside keycloak. I managed to customize the frontend with ease, however, in order to support the pin in the backend seems like I have to customize the AuthenticationManager class (no direct SPIs). Although there is a link here; http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... I cant seem to find anything here which matches the current code base (to via a new authentication method via spis) and the example has been removed. 2/ Customize password hashes. We have our own algorithm used to store password hashes. What should I do to add this to keycloak? I do not know the current passwords of the users already in our system, so when doing the migration i need keyclock to support the current algorithm we use. Can we plugin new hashing algorithms to meet my needs? Any other issues I might face? I feel key cloak is the right choice if the above two questions are answered. Please let me know. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; To: keycloak-user(a)lists.jboss.org Sent: Monday, March 16, 2015 10:48:55 AM Subject: [keycloak-user] Customization of authentication mechanism and + Guys, I need to understand the capability of keycloak with my requirement and to ensure that keycloak is scalable to meet my needs. My main requirement is to integrate keycloak to our system to support SSO hence I need to migrate my existing users. My main concerns; 1/ Customize authentication method. I need to authenticate users similar to what we currently use in our production system. In our system, users are identified by username, password and the pin. For instance; User -> jack, password -> pwd, pin -> 50000 User should enter all three to login to the system. I went through the codebase and I saw that the Authentication Manager (which is a concrete class) does all the work inside keycloak. I managed to customize the frontend with ease, however, in order to support the pin in the backend seems like I have to customize the AuthenticationManager class (no direct SPIs). Although there is a link here; http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... I cant seem to find anything here which matches the current code base (to via a new authentication method via spis) and the example has been removed. 2/ Customize password hashes. We have our own algorithm used to store password hashes. What should I do to add this to keycloak? I do not know the current passwords of the users already in our system, so when doing the migration i need keyclock to support the current algorithm we use. Can we plugin new hashing algorithms to meet my needs? Any other issues I might face? I feel key cloak is the right choice if the above two questions are answered. Please let me know. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

We don't currently have a way to plugin your own authentication mechanism, but this is something we'll be adding. You have two choices when it comes to users, you can either use our user federation provider mechanism to sync between Keycloak and your current db. Or you can migrate the users fully to the Keycloak db. In either case you have an option on overriding how passwords are verified (either UserFederationProvider or by extending an existing UserProvider). With the above authentication mechanism we'll most likely also make the verification of passwords pluggable which would support different hash algorithms. ----- Original Message ----- > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > To: keycloak-user(a)lists.jboss.org > Sent: Monday, March 16, 2015 10:48:55 AM > Subject: [keycloak-user] Customization of authentication mechanism and + > > > > Guys, > > I need to understand the capability of keycloak with my requirement and to > ensure that keycloak is scalable to meet my needs. My main requirement is to > integrate keycloak to our system to support SSO hence I need to migrate my > existing users. My main concerns; > > > > 1/ Customize authentication method. > > I need to authenticate users similar to what we currently use in our > production system. In our system, users are identified by username, password > and the pin. > > For instance; > > User -> jack, password -> pwd, pin -> 50000 > > User should enter all three to login to the system. > > I went through the codebase and I saw that the Authentication Manager (which > is a concrete class) does all the work inside keycloak. I managed to > customize the frontend with ease, however, in order to support the pin in > the backend seems like I have to customize the AuthenticationManager class > (no direct SPIs). > > Although there is a link here; > > http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... > > I cant seem to find anything here which matches the current code base (to via > a new authentication method via spis) and the example has been removed. > > > > 2/ Customize password hashes. > > We have our own algorithm used to store password hashes. What should I do to > add this to keycloak? > > I do not know the current passwords of the users already in our system, so > when doing the migration i need keyclock to support the current algorithm we > use. Can we plugin new hashing algorithms to meet my needs? > > > > Any other issues I might face? > > I feel key cloak is the right choice if the above two questions are answered. > Please let me know. > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Tuesday, March 17, 2015 8:52:12 AM Subject: Re: [keycloak-user] Customization of authentication mechanism and + Thanks again for your quick feedbacks. Sorry I have a number of questions so I will be buzzing u guys regularly. I went through the document for the adapters; http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html So lets say I need a php application to be deployed using keycloak as my SSO manager application. So my basic requirement is that user should have the ability to signin via keycloak. I see that there are no dedicated adapters for php (I guess it must be in the works)

Is there a guideline that I should follow if I am to do it manually? Basically what I should to do replicate what an adapter does (if I dont want to use any adapters or my apps are mobile based or deployed on containers hat keycloak does not have adapters for). Hope my question is clear. Kalinga -----Original Message----- From: "Bill Burke" <bburke(a)redhat.com&gt; Sent: Monday, March 16, 2015 7:46pm To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Customization of authentication mechanism and + Minimally you need to import username. Probably email too if you want to use any of our email-based features. With UserFederationProvider you can delegate to the third-party storage for other user attributes/metadata. On 3/16/2015 6:01 AM, Stian Thorgersen wrote: > We don't currently have a way to plugin your own authentication mechanism, > but this is something we'll be adding. > > You have two choices when it comes to users, you can either use our user > federation provider mechanism to sync between Keycloak and your current > db. Or you can migrate the users fully to the Keycloak db. In either case > you have an option on overriding how passwords are verified (either > UserFederationProvider or by extending an existing UserProvider). With the > above authentication mechanism we'll most likely also make the > verification of passwords pluggable which would support different hash > algorithms. > > ----- Original Message ----- >> From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; >> To: keycloak-user(a)lists.jboss.org >> Sent: Monday, March 16, 2015 10:48:55 AM >> Subject: [keycloak-user] Customization of authentication mechanism and + >> >> >> >> Guys, >> >> I need to understand the capability of keycloak with my requirement and to >> ensure that keycloak is scalable to meet my needs. My main requirement is >> to >> integrate keycloak to our system to support SSO hence I need to migrate my >> existing users. My main concerns; >> >> >> >> 1/ Customize authentication method. >> >> I need to authenticate users similar to what we currently use in our >> production system. In our system, users are identified by username, >> password >> and the pin. >> >> For instance; >> >> User -> jack, password -> pwd, pin -> 50000 >> >> User should enter all three to login to the system. >> >> I went through the codebase and I saw that the Authentication Manager >> (which >> is a concrete class) does all the work inside keycloak. I managed to >> customize the frontend with ease, however, in order to support the pin in >> the backend seems like I have to customize the AuthenticationManager class >> (no direct SPIs). >> >> Although there is a link here; >> >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... >> >> I cant seem to find anything here which matches the current code base (to >> via >> a new authentication method via spis) and the example has been removed. >> >> >> >> 2/ Customize password hashes. >> >> We have our own algorithm used to store password hashes. What should I do >> to >> add this to keycloak? >> >> I do not know the current passwords of the users already in our system, so >> when doing the migration i need keyclock to support the current algorithm >> we >> use. Can we plugin new hashing algorithms to meet my needs? >> >> >> >> Any other issues I might face? >> >> I feel key cloak is the right choice if the above two questions are >> answered. >> Please let me know. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Tuesday, March 17, 2015 8:52:12 AM Subject: Re: [keycloak-user] Customization of authentication mechanism and + Thanks again for your quick feedbacks. Sorry I have a number of questions so I will be buzzing u guys regularly. I went through the document for the adapters; http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html So lets say I need a php application to be deployed using keycloak as my SSO manager application. So my basic requirement is that user should have the ability to signin via keycloak. I see that there are no dedicated adapters for php (I guess it must be in the works)

Is there a guideline that I should follow if I am to do it manually? Basically what I should to do replicate what an adapter does (if I dont want to use any adapters or my apps are mobile based or deployed on containers hat keycloak does not have adapters for). Hope my question is clear. Kalinga -----Original Message----- From: "Bill Burke" <bburke(a)redhat.com&gt; Sent: Monday, March 16, 2015 7:46pm To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Customization of authentication mechanism and + Minimally you need to import username. Probably email too if you want to use any of our email-based features. With UserFederationProvider you can delegate to the third-party storage for other user attributes/metadata. On 3/16/2015 6:01 AM, Stian Thorgersen wrote: > We don't currently have a way to plugin your own authentication mechanism, > but this is something we'll be adding. > > You have two choices when it comes to users, you can either use our user > federation provider mechanism to sync between Keycloak and your current > db. Or you can migrate the users fully to the Keycloak db. In either case > you have an option on overriding how passwords are verified (either > UserFederationProvider or by extending an existing UserProvider). With the > above authentication mechanism we'll most likely also make the > verification of passwords pluggable which would support different hash > algorithms. > > ----- Original Message ----- >> From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; >> To: keycloak-user(a)lists.jboss.org >> Sent: Monday, March 16, 2015 10:48:55 AM >> Subject: [keycloak-user] Customization of authentication mechanism and + >> >> >> >> Guys, >> >> I need to understand the capability of keycloak with my requirement and to >> ensure that keycloak is scalable to meet my needs. My main requirement is >> to >> integrate keycloak to our system to support SSO hence I need to migrate my >> existing users. My main concerns; >> >> >> >> 1/ Customize authentication method. >> >> I need to authenticate users similar to what we currently use in our >> production system. In our system, users are identified by username, >> password >> and the pin. >> >> For instance; >> >> User -> jack, password -> pwd, pin -> 50000 >> >> User should enter all three to login to the system. >> >> I went through the codebase and I saw that the Authentication Manager >> (which >> is a concrete class) does all the work inside keycloak. I managed to >> customize the frontend with ease, however, in order to support the pin in >> the backend seems like I have to customize the AuthenticationManager class >> (no direct SPIs). >> >> Although there is a link here; >> >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... >> >> I cant seem to find anything here which matches the current code base (to >> via >> a new authentication method via spis) and the example has been removed. >> >> >> >> 2/ Customize password hashes. >> >> We have our own algorithm used to store password hashes. What should I do >> to >> add this to keycloak? >> >> I do not know the current passwords of the users already in our system, so >> when doing the migration i need keyclock to support the current algorithm >> we >> use. Can we plugin new hashing algorithms to meet my needs? >> >> >> >> Any other issues I might face? >> >> I feel key cloak is the right choice if the above two questions are >> answered. >> Please let me know. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Tuesday, March 17, 2015 10:41:51 AM Subject: Re: [keycloak-user] Customization of authentication mechanism and + There is no hints regarding adapter logic, but what you'll need is: * Configure adapter using keycloak.json * Implement client side of OAuth2 Authorization Code Grant 1. Generate a state variable and store in a cookie or session 2. Redirect to /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate uuid>&redirect_uri=<callback uri> 3. Once the user has logged-in it's redirected back to <callback uri> with a code query param 4. Use the code query param to obtain a token by posting to /{realm}/protocols/openid-connect/token the form-data should be grant_type=authorization_code&code=<code> you also need to include a http basic authorization header with client id and secret Once you've done that you should have a token available to the application. Then you have to deal with: * Refreshing token when expired * Handle logout events from Keycloak * Clustering issues * If you want to support creating rest endpoints in PHP you also need to support verifying the bearer token included in authorization header, this can be done by checking the jws signature using the realm public key ----- Original Message ----- > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > Cc: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Bill Burke" > <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > Sent: Tuesday, March 17, 2015 10:26:18 AM > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > > * I can get a php application in place > > Kalinga > > -----Original Message----- > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > Sent: Tuesday, March 17, 2015 2:55pm > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > > > Thanks again. > I need to go thru most documentation to get the hang of it. Will do. > I would love to contribute if u can get a php application in place, is it > possible for you to direct me to documentation where there are hints > regarding the adapter logic? > > Kalinga > > > -----Original Message----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > Sent: Tuesday, March 17, 2015 2:25pm > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > > > > ----- Original Message ----- > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > To: "Bill Burke" <bburke(a)redhat.com&gt; > > Cc: keycloak-user(a)lists.jboss.org > > Sent: Tuesday, March 17, 2015 8:52:12 AM > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > > > > > Thanks again for your quick feedbacks. > > > > Sorry I have a number of questions so I will be buzzing u guys regularly. > > > > I went through the document for the adapters; > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html > > > > > > > > So lets say I need a php application to be deployed using keycloak as my > > SSO > > manager application. > > > > So my basic requirement is that user should have the ability to signin > > via > > keycloak. I see that there are no dedicated adapters for php (I guess it > > must be in the works) > > We don't have a PHP adapter, and there's no immediate plans to create one. > You could use: > > * JavaScript adapter > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#...) > * Proxy > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html) > > Alternatively have a look on Google for instructions on using OAuth2 and/or > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a > OpenID Connect Discovery endpoint, which should make it easier to use other > OpenID Connect client libraries with Keycloak. > > If you're willing to contribute a PHP adapter then let me know and I can > give > you more details on what would be required and some hints to get you > started. > > > > > > > > > Is there a guideline that I should follow if I am to do it manually? > > Basically what I should to do replicate what an adapter does (if I dont > > want > > to use any adapters or my apps are mobile based or deployed on containers > > hat keycloak does not have adapters for). Hope my question is clear. > > > > > > > > Kalinga > > > > > > > > > > -----Original Message----- > > From: "Bill Burke" <bburke(a)redhat.com&gt; > > Sent: Monday, March 16, 2015 7:46pm > > To: keycloak-user(a)lists.jboss.org > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > > > > > Minimally you need to import username. Probably email too if you want > > to use any of our email-based features. With UserFederationProvider you > > can delegate to the third-party storage for other user > > attributes/metadata. > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote: > > > We don't currently have a way to plugin your own authentication > > > mechanism, > > > but this is something we'll be adding. > > > > > > You have two choices when it comes to users, you can either use our > > > user > > > federation provider mechanism to sync between Keycloak and your current > > > db. Or you can migrate the users fully to the Keycloak db. In either > > > case > > > you have an option on overriding how passwords are verified (either > > > UserFederationProvider or by extending an existing UserProvider). With > > > the > > > above authentication mechanism we'll most likely also make the > > > verification of passwords pluggable which would support different hash > > > algorithms. > > > > > > ----- Original Message ----- > > >> From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > >> To: keycloak-user(a)lists.jboss.org > > >> Sent: Monday, March 16, 2015 10:48:55 AM > > >> Subject: [keycloak-user] Customization of authentication mechanism and > > >> + > > >> > > >> > > >> > > >> Guys, > > >> > > >> I need to understand the capability of keycloak with my requirement > > >> and > > >> to > > >> ensure that keycloak is scalable to meet my needs. My main requirement > > >> is > > >> to > > >> integrate keycloak to our system to support SSO hence I need to > > >> migrate > > >> my > > >> existing users. My main concerns; > > >> > > >> > > >> > > >> 1/ Customize authentication method. > > >> > > >> I need to authenticate users similar to what we currently use in our > > >> production system. In our system, users are identified by username, > > >> password > > >> and the pin. > > >> > > >> For instance; > > >> > > >> User -> jack, password -> pwd, pin -> 50000 > > >> > > >> User should enter all three to login to the system. > > >> > > >> I went through the codebase and I saw that the Authentication Manager > > >> (which > > >> is a concrete class) does all the work inside keycloak. I managed to > > >> customize the frontend with ease, however, in order to support the pin > > >> in > > >> the backend seems like I have to customize the AuthenticationManager > > >> class > > >> (no direct SPIs). > > >> > > >> Although there is a link here; > > >> > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... > > >> > > >> I cant seem to find anything here which matches the current code base > > >> (to > > >> via > > >> a new authentication method via spis) and the example has been > > >> removed. > > >> > > >> > > >> > > >> 2/ Customize password hashes. > > >> > > >> We have our own algorithm used to store password hashes. What should I > > >> do > > >> to > > >> add this to keycloak? > > >> > > >> I do not know the current passwords of the users already in our > > >> system, > > >> so > > >> when doing the migration i need keyclock to support the current > > >> algorithm > > >> we > > >> use. Can we plugin new hashing algorithms to meet my needs? > > >> > > >> > > >> > > >> Any other issues I might face? > > >> > > >> I feel key cloak is the right choice if the above two questions are > > >> answered. > > >> Please let me know. > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user(a)lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > -- > > Bill Burke > > JBoss, a division of Red Hat > > http://bill.burkecentral.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Tuesday, March 17, 2015 11:23:10 AM Subject: Re: [keycloak-user] Customization of authentication mechanism and + Thanks Stian. :) Let me first go thru the resources I have on the website. The java source code of the adapter also must be present somewhere for me to have a look I guess? Kalinga -----Original Message----- From: "Stian Thorgersen" <stian(a)redhat.com&gt; Sent: Tuesday, March 17, 2015 3:14pm To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Customization of authentication mechanism and + If you have any more questions feel free to ask, anyone contributing code gets extra questions answered ;) ----- Original Message ----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > Cc: keycloak-user(a)lists.jboss.org > Sent: Tuesday, March 17, 2015 10:41:51 AM > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > There is no hints regarding adapter logic, but what you'll need is: > > * Configure adapter using keycloak.json > * Implement client side of OAuth2 Authorization Code Grant > 1. Generate a state variable and store in a cookie or session > 2. Redirect to > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate > uuid>&redirect_uri=<callback uri> > 3. Once the user has logged-in it's redirected back to <callback uri> with > a code query param > 4. Use the code query param to obtain a token by posting to > /{realm}/protocols/openid-connect/token the form-data should be > grant_type=authorization_code&code=<code> you also need to include a http > basic authorization header with client id and secret > > Once you've done that you should have a token available to the application. > Then you have to deal with: > > * Refreshing token when expired > * Handle logout events from Keycloak > * Clustering issues > * If you want to support creating rest endpoints in PHP you also need to > support verifying the bearer token included in authorization header, this > can be done by checking the jws signature using the realm public key > > ----- Original Message ----- > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > Cc: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Bill Burke" > > <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > Sent: Tuesday, March 17, 2015 10:26:18 AM > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > > > * I can get a php application in place > > > > Kalinga > > > > -----Original Message----- > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > Sent: Tuesday, March 17, 2015 2:55pm > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > > > > > Thanks again. > > I need to go thru most documentation to get the hang of it. Will do. > > I would love to contribute if u can get a php application in place, is it > > possible for you to direct me to documentation where there are hints > > regarding the adapter logic? > > > > Kalinga > > > > > > -----Original Message----- > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > Sent: Tuesday, March 17, 2015 2:25pm > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > > > > > > > ----- Original Message ----- > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > To: "Bill Burke" <bburke(a)redhat.com&gt; > > > Cc: keycloak-user(a)lists.jboss.org > > > Sent: Tuesday, March 17, 2015 8:52:12 AM > > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > > and > > > + > > > > > > > > > > > > Thanks again for your quick feedbacks. > > > > > > Sorry I have a number of questions so I will be buzzing u guys > > > regularly. > > > > > > I went through the document for the adapters; > > > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html > > > > > > > > > > > > So lets say I need a php application to be deployed using keycloak as > > > my > > > SSO > > > manager application. > > > > > > So my basic requirement is that user should have the ability to signin > > > via > > > keycloak. I see that there are no dedicated adapters for php (I guess > > > it > > > must be in the works) > > > > We don't have a PHP adapter, and there's no immediate plans to create > > one. > > You could use: > > > > * JavaScript adapter > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#...) > > * Proxy > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html) > > > > Alternatively have a look on Google for instructions on using OAuth2 > > and/or > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a > > OpenID Connect Discovery endpoint, which should make it easier to use > > other > > OpenID Connect client libraries with Keycloak. > > > > If you're willing to contribute a PHP adapter then let me know and I can > > give > > you more details on what would be required and some hints to get you > > started. > > > > > > > > > > > > > > Is there a guideline that I should follow if I am to do it manually? > > > Basically what I should to do replicate what an adapter does (if I dont > > > want > > > to use any adapters or my apps are mobile based or deployed on > > > containers > > > hat keycloak does not have adapters for). Hope my question is clear. > > > > > > > > > > > > Kalinga > > > > > > > > > > > > > > > -----Original Message----- > > > From: "Bill Burke" <bburke(a)redhat.com&gt; > > > Sent: Monday, March 16, 2015 7:46pm > > > To: keycloak-user(a)lists.jboss.org > > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > > and > > > + > > > > > > > > > > > > Minimally you need to import username. Probably email too if you want > > > to use any of our email-based features. With UserFederationProvider you > > > can delegate to the third-party storage for other user > > > attributes/metadata. > > > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote: > > > > We don't currently have a way to plugin your own authentication > > > > mechanism, > > > > but this is something we'll be adding. > > > > > > > > You have two choices when it comes to users, you can either use our > > > > user > > > > federation provider mechanism to sync between Keycloak and your > > > > current > > > > db. Or you can migrate the users fully to the Keycloak db. In either > > > > case > > > > you have an option on overriding how passwords are verified (either > > > > UserFederationProvider or by extending an existing UserProvider). > > > > With > > > > the > > > > above authentication mechanism we'll most likely also make the > > > > verification of passwords pluggable which would support different > > > > hash > > > > algorithms. > > > > > > > > ----- Original Message ----- > > > >> From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > >> To: keycloak-user(a)lists.jboss.org > > > >> Sent: Monday, March 16, 2015 10:48:55 AM > > > >> Subject: [keycloak-user] Customization of authentication mechanism > > > >> and > > > >> + > > > >> > > > >> > > > >> > > > >> Guys, > > > >> > > > >> I need to understand the capability of keycloak with my requirement > > > >> and > > > >> to > > > >> ensure that keycloak is scalable to meet my needs. My main > > > >> requirement > > > >> is > > > >> to > > > >> integrate keycloak to our system to support SSO hence I need to > > > >> migrate > > > >> my > > > >> existing users. My main concerns; > > > >> > > > >> > > > >> > > > >> 1/ Customize authentication method. > > > >> > > > >> I need to authenticate users similar to what we currently use in our > > > >> production system. In our system, users are identified by username, > > > >> password > > > >> and the pin. > > > >> > > > >> For instance; > > > >> > > > >> User -> jack, password -> pwd, pin -> 50000 > > > >> > > > >> User should enter all three to login to the system. > > > >> > > > >> I went through the codebase and I saw that the Authentication > > > >> Manager > > > >> (which > > > >> is a concrete class) does all the work inside keycloak. I managed to > > > >> customize the frontend with ease, however, in order to support the > > > >> pin > > > >> in > > > >> the backend seems like I have to customize the AuthenticationManager > > > >> class > > > >> (no direct SPIs). > > > >> > > > >> Although there is a link here; > > > >> > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... > > > >> > > > >> I cant seem to find anything here which matches the current code > > > >> base > > > >> (to > > > >> via > > > >> a new authentication method via spis) and the example has been > > > >> removed. > > > >> > > > >> > > > >> > > > >> 2/ Customize password hashes. > > > >> > > > >> We have our own algorithm used to store password hashes. What should > > > >> I > > > >> do > > > >> to > > > >> add this to keycloak? > > > >> > > > >> I do not know the current passwords of the users already in our > > > >> system, > > > >> so > > > >> when doing the migration i need keyclock to support the current > > > >> algorithm > > > >> we > > > >> use. Can we plugin new hashing algorithms to meet my needs? > > > >> > > > >> > > > >> > > > >> Any other issues I might face? > > > >> > > > >> I feel key cloak is the right choice if the above two questions are > > > >> answered. > > > >> Please let me know. > > > >> > > > >> _______________________________________________ > > > >> keycloak-user mailing list > > > >> keycloak-user(a)lists.jboss.org > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- > > > Bill Burke > > > JBoss, a division of Red Hat > > > http://bill.burkecentral.com > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

I am in the process of trying out a few adapters supported by keycloak. Tried the tomcat adapter but im a getting a continuous redirect on the browser. I did the following; 1/ Installed the adapter on tomcat 2/ Installed all the libraries. 3/ Changed catalina.jar to add an authentication type called KEYCLOAK 4/ Added the context.xml to the client in META-INF <?xml version="1.0" encoding="UTF-8"?> <Context path="/sample" debug="0" privileged="true"> <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" /> </Context> 5/ Added the keycloak.json { "realm": "demo", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6pigvwuJUVfi9sEaZOj7txNfBwPAEt+0AIBSFHRzoWSxNAnznkwGV83qGK+Kc6GAMdlch87GeFzSZh76qC9GUlQ1WGOjbNA4YApnd9PmLvt1iBfe/3xkjIBeKEYmeA9mg3xn3eTosWmL1WIFzFy4NRbe09fAC1hZ5zazfjSDBtwIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "customer-portal", "public-client": true, "use-resource-role-mappings": true } 6/ Changed web.xml <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Archetype Created Web Application</display-name> <security-constraint> <web-resource-collection> <web-resource-name>sample</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>user</role-name> </security-role> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>demo</realm-name> </login-config> </web-app> The client app successfully redirects to the server url (keycloak) and I can login entering the creds. and it redirects back to the client, however the client goes into a loop. Should I do a change in the client to extract some details and save it in the session? Or will be the adapter handle this for me Kalinga _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

It didnt. Thats why i did the change to the catalina.jar file. Managed to come up with this http://blog-ungarida.rhcloud.com/keycloak-tomcat-adapter/ Thats why I did this change to catalina.jar. Kalinga -----Original Message----- From: "Marek Posolda" <mposolda(a)redhat.com&gt; Sent: Wednesday, March 18, 2015 4:50pm To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt;, keycloak-user(a)lists.jboss.org, "Stian Thorgersen" <stian(a)redhat.com&gt; Subject: Re: [keycloak-user] Tomcat adapter for keycloak For Tomcat adapter, you don't need KEYCLOAK authentication type in web.xml, but BASIC should be sufficient. Does it work with BASIC and without your step 3 (Changing catalina.jar) ? Marek On 18.3.2015 10:00, Kalinga Dissanayake wrote: I am in the process of trying out a few adapters supported by keycloak. Tried the tomcat adapter but im a getting a continuous redirect on the browser. I did the following; 1/ Installed the adapter on tomcat 2/ Installed all the libraries. 3/ Changed catalina.jar to add an authentication type called KEYCLOAK 4/ Added the context.xml to the client in META-INF <?xml version="1.0" encoding="UTF-8"?> <Context path="/sample" debug="0" privileged="true"> <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" /> </Context> 5/ Added the keycloak.json { "realm": "demo", "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6pigvwuJUVfi9sEaZOj7txNfBwPAEt+0AIBSFHRzoWSxNAnznkwGV83qGK+Kc6GAMdlch87GeFzSZh76qC9GUlQ1WGOjbNA4YApnd9PmLvt1iBfe/3xkjIBeKEYmeA9mg3xn3eTosWmL1WIFzFy4NRbe09fAC1hZ5zazfjSDBtwIDAQAB", "auth-server-url": "http://localhost:8080/auth", "ssl-required": "external", "resource": "customer-portal", "public-client": true, "use-resource-role-mappings": true } 6/ Changed web.xml <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Archetype Created Web Application</display-name> <security-constraint> <web-resource-collection> <web-resource-name>sample</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>user</role-name> </security-role> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>demo</realm-name> </login-config> </web-app> The client app successfully redirects to the server url (keycloak) and I can login entering the creds. and it redirects back to the client, however the client goes into a loop. Should I do a change in the client to extract some details and save it in the session? Or will be the adapter handle this for me Kalinga _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Friday, 20 March, 2015 9:21:29 AM Subject: Re: [keycloak-user] Customization of authentication mechanism and + Stian, As per your previous email I should use the endpoint /{realm}/protocols/openid-connect/token However, I am using version 1.1.0.Final of keycloak. Seems like this is the production ready release available, however this does not have the above endpoint [ /{realm}/protocols/openid-connect/token] Instead Version 1.1.0 Final has this end point which seems to be doing the same functionality; /realms/demo/protocol/openid-connect/access/codes

So I have a few questions regarding the above; 1/ Is the /access/codes api endpoint same as /token endpoint. Where the latter is planned to released in a future version? I compared the js adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api endpoint while 1.2.0.Beta uses /token

2/ Similarly /{realm}/protocols/openid-connect/auth api end point has been changed. What is the mapping endpoint for this in 1.1.0 version? Are there are other apis signatures that are planned to be changed in the future?

3/ If I am using keycloak for an application which I am planning to roll out to production soon, which version would u recommend?

4/ The above apis are for openid-connect. What are the endpoints available if the authorization type is saml?

Extract from previous email <<Stian>> > > * Configure adapter using keycloak.json > > * Implement client side of OAuth2 Authorization Code Grant > > 1. Generate a state variable and store in a cookie or session > > 2. Redirect to > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate > > uuid>&redirect_uri=<callback uri> > > 3. Once the user has logged-in it's redirected back to <callback uri> > > with > > a code query param > > 4. Use the code query param to obtain a token by posting to > > /{realm}/protocols/openid-connect/token the form-data should be > > grant_type=authorization_code&code=<code> you also need to include a http > > basic authorization header with client id and secret Thanks. Kalinga -----Original Message----- From: "Stian Thorgersen" <stian(a)redhat.com&gt; Sent: Tuesday, March 17, 2015 3:55pm To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Customization of authentication mechanism and + Source code for all adapters is in: https://github.com/keycloak/keycloak/tree/master/integration ----- Original Message ----- > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-user(a)lists.jboss.org > Sent: Tuesday, March 17, 2015 11:23:10 AM > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > > Thanks Stian. :) Let me first go thru the resources I have on the website. > The java source code of the adapter also must be present somewhere for me > to > have a look I guess? > > Kalinga > > -----Original Message----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > Sent: Tuesday, March 17, 2015 3:14pm > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > Cc: keycloak-user(a)lists.jboss.org > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > > > If you have any more questions feel free to ask, anyone contributing code > gets extra questions answered ;) > > > ----- Original Message ----- > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > Cc: keycloak-user(a)lists.jboss.org > > Sent: Tuesday, March 17, 2015 10:41:51 AM > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > There is no hints regarding adapter logic, but what you'll need is: > > > > * Configure adapter using keycloak.json > > * Implement client side of OAuth2 Authorization Code Grant > > 1. Generate a state variable and store in a cookie or session > > 2. Redirect to > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate > > uuid>&redirect_uri=<callback uri> > > 3. Once the user has logged-in it's redirected back to <callback uri> > > with > > a code query param > > 4. Use the code query param to obtain a token by posting to > > /{realm}/protocols/openid-connect/token the form-data should be > > grant_type=authorization_code&code=<code> you also need to include a http > > basic authorization header with client id and secret > > > > Once you've done that you should have a token available to the > > application. > > Then you have to deal with: > > > > * Refreshing token when expired > > * Handle logout events from Keycloak > > * Clustering issues > > * If you want to support creating rest endpoints in PHP you also need to > > support verifying the bearer token included in authorization header, this > > can be done by checking the jws signature using the realm public key > > > > ----- Original Message ----- > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > Cc: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Bill Burke" > > > <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > > Sent: Tuesday, March 17, 2015 10:26:18 AM > > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > > and > > > + > > > > > > > > > * I can get a php application in place > > > > > > Kalinga > > > > > > -----Original Message----- > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > Sent: Tuesday, March 17, 2015 2:55pm > > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > > and > > > + > > > > > > > > > > > > Thanks again. > > > I need to go thru most documentation to get the hang of it. Will do. > > > I would love to contribute if u can get a php application in place, is > > > it > > > possible for you to direct me to documentation where there are hints > > > regarding the adapter logic? > > > > > > Kalinga > > > > > > > > > -----Original Message----- > > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > Sent: Tuesday, March 17, 2015 2:25pm > > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > > and > > > + > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > To: "Bill Burke" <bburke(a)redhat.com&gt; > > > > Cc: keycloak-user(a)lists.jboss.org > > > > Sent: Tuesday, March 17, 2015 8:52:12 AM > > > > Subject: Re: [keycloak-user] Customization of authentication > > > > mechanism > > > > and > > > > + > > > > > > > > > > > > > > > > Thanks again for your quick feedbacks. > > > > > > > > Sorry I have a number of questions so I will be buzzing u guys > > > > regularly. > > > > > > > > I went through the document for the adapters; > > > > > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html > > > > > > > > > > > > > > > > So lets say I need a php application to be deployed using keycloak as > > > > my > > > > SSO > > > > manager application. > > > > > > > > So my basic requirement is that user should have the ability to > > > > signin > > > > via > > > > keycloak. I see that there are no dedicated adapters for php (I guess > > > > it > > > > must be in the works) > > > > > > We don't have a PHP adapter, and there's no immediate plans to create > > > one. > > > You could use: > > > > > > * JavaScript adapter > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#...) > > > * Proxy > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html) > > > > > > Alternatively have a look on Google for instructions on using OAuth2 > > > and/or > > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a > > > OpenID Connect Discovery endpoint, which should make it easier to use > > > other > > > OpenID Connect client libraries with Keycloak. > > > > > > If you're willing to contribute a PHP adapter then let me know and I > > > can > > > give > > > you more details on what would be required and some hints to get you > > > started. > > > > > > > > > > > > > > > > > > > Is there a guideline that I should follow if I am to do it manually? > > > > Basically what I should to do replicate what an adapter does (if I > > > > dont > > > > want > > > > to use any adapters or my apps are mobile based or deployed on > > > > containers > > > > hat keycloak does not have adapters for). Hope my question is clear. > > > > > > > > > > > > > > > > Kalinga > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: "Bill Burke" <bburke(a)redhat.com&gt; > > > > Sent: Monday, March 16, 2015 7:46pm > > > > To: keycloak-user(a)lists.jboss.org > > > > Subject: Re: [keycloak-user] Customization of authentication > > > > mechanism > > > > and > > > > + > > > > > > > > > > > > > > > > Minimally you need to import username. Probably email too if you want > > > > to use any of our email-based features. With UserFederationProvider > > > > you > > > > can delegate to the third-party storage for other user > > > > attributes/metadata. > > > > > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote: > > > > > We don't currently have a way to plugin your own authentication > > > > > mechanism, > > > > > but this is something we'll be adding. > > > > > > > > > > You have two choices when it comes to users, you can either use our > > > > > user > > > > > federation provider mechanism to sync between Keycloak and your > > > > > current > > > > > db. Or you can migrate the users fully to the Keycloak db. In > > > > > either > > > > > case > > > > > you have an option on overriding how passwords are verified (either > > > > > UserFederationProvider or by extending an existing UserProvider). > > > > > With > > > > > the > > > > > above authentication mechanism we'll most likely also make the > > > > > verification of passwords pluggable which would support different > > > > > hash > > > > > algorithms. > > > > > > > > > > ----- Original Message ----- > > > > >> From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > >> To: keycloak-user(a)lists.jboss.org > > > > >> Sent: Monday, March 16, 2015 10:48:55 AM > > > > >> Subject: [keycloak-user] Customization of authentication mechanism > > > > >> and > > > > >> + > > > > >> > > > > >> > > > > >> > > > > >> Guys, > > > > >> > > > > >> I need to understand the capability of keycloak with my > > > > >> requirement > > > > >> and > > > > >> to > > > > >> ensure that keycloak is scalable to meet my needs. My main > > > > >> requirement > > > > >> is > > > > >> to > > > > >> integrate keycloak to our system to support SSO hence I need to > > > > >> migrate > > > > >> my > > > > >> existing users. My main concerns; > > > > >> > > > > >> > > > > >> > > > > >> 1/ Customize authentication method. > > > > >> > > > > >> I need to authenticate users similar to what we currently use in > > > > >> our > > > > >> production system. In our system, users are identified by > > > > >> username, > > > > >> password > > > > >> and the pin. > > > > >> > > > > >> For instance; > > > > >> > > > > >> User -> jack, password -> pwd, pin -> 50000 > > > > >> > > > > >> User should enter all three to login to the system. > > > > >> > > > > >> I went through the codebase and I saw that the Authentication > > > > >> Manager > > > > >> (which > > > > >> is a concrete class) does all the work inside keycloak. I managed > > > > >> to > > > > >> customize the frontend with ease, however, in order to support the > > > > >> pin > > > > >> in > > > > >> the backend seems like I have to customize the > > > > >> AuthenticationManager > > > > >> class > > > > >> (no direct SPIs). > > > > >> > > > > >> Although there is a link here; > > > > >> > > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... > > > > >> > > > > >> I cant seem to find anything here which matches the current code > > > > >> base > > > > >> (to > > > > >> via > > > > >> a new authentication method via spis) and the example has been > > > > >> removed. > > > > >> > > > > >> > > > > >> > > > > >> 2/ Customize password hashes. > > > > >> > > > > >> We have our own algorithm used to store password hashes. What > > > > >> should > > > > >> I > > > > >> do > > > > >> to > > > > >> add this to keycloak? > > > > >> > > > > >> I do not know the current passwords of the users already in our > > > > >> system, > > > > >> so > > > > >> when doing the migration i need keyclock to support the current > > > > >> algorithm > > > > >> we > > > > >> use. Can we plugin new hashing algorithms to meet my needs? > > > > >> > > > > >> > > > > >> > > > > >> Any other issues I might face? > > > > >> > > > > >> I feel key cloak is the right choice if the above two questions > > > > >> are > > > > >> answered. > > > > >> Please let me know. > > > > >> > > > > >> _______________________________________________ > > > > >> keycloak-user mailing list > > > > >> keycloak-user(a)lists.jboss.org > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user(a)lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > -- > > > > Bill Burke > > > > JBoss, a division of Red Hat > > > > http://bill.burkecentral.com > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > >

From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-user(a)lists.jboss.org Sent: Monday, 23 March, 2015 8:23:40 AM Subject: Re: [keycloak-user] Customization of authentication mechanism and + Stian, Thanks for clarifying. A couple of more questions and my sincere apologies for troubling u guys amidst all the work. I could not get the saml endpoints token endpoints but the openid connect protocol works fine now. Extract from previous email -------------------------------- > > > * Refreshing token when expired > > > * Handle logout events from Keycloak > > > * Clustering issues > > > * If you want to support creating rest endpoints in PHP you also need > > > to > > > support verifying the bearer token included in authorization header, > > > this > > > can be done by checking the jws signature using the realm public key * Handle logout events from Keycloak Are there any specific events I should listen to for this purpose? I saw that the js adapter somehow handles this via the iframe but is there any way for me to support me in the php backend or any other app? Basically let me explain the scenario. I have a php app and a tomcat applicaton that call keycloak for auth. I logout from the tomcat application and I need the php app user to force logout... What are the events i should listen to? Is there any document which contains these details?

* Clustering issues Are there are clustering issues with the adapters I should be aware of? or Is it simply the clustering on the server end you are referring to?

Thanks. Appreciate ur feedback...please let me know any concerns/factors I should be aware regarding the above two points. Kalinga -----Original Message----- From: "Stian Thorgersen" <stian(a)redhat.com&gt; Sent: Friday, March 20, 2015 2:12pm To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Customization of authentication mechanism and + ----- Original Message ----- > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-user(a)lists.jboss.org > Sent: Friday, 20 March, 2015 9:21:29 AM > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > > Stian, > As per your previous email I should use the endpoint > /{realm}/protocols/openid-connect/token > However, I am using version 1.1.0.Final of keycloak. Seems like this is the > production ready release available, however this does not have the above > endpoint [ /{realm}/protocols/openid-connect/token] > Instead Version 1.1.0 Final has this end point which seems to be doing the > same functionality; > /realms/demo/protocol/openid-connect/access/codes Yes, sorry for the confusion. > > So I have a few questions regarding the above; > 1/ Is the /access/codes api endpoint same as /token endpoint. Where the > latter is planned to released in a future version? I compared the js > adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api > endpoint while 1.2.0.Beta uses /token It's equivalent and hasn't been removed yet, just deprecated so will still work in 1.2.0.Beta1, but will be removed in a future release. In 1.1.0.Final we had multiple token endpoint (/access/codes, /refresh, /grants/access) these don't require grant_type param. These are now deprecated and we've introduce the single endpoint (/token) that requires grant_type. This is so comply with the OpenID Connect spec. > 2/ Similarly /{realm}/protocols/openid-connect/auth api end point has been > changed. What is the mapping endpoint for this in 1.1.0 version? Are there > are other apis signatures that are planned to be changed in the future? Nothing planned > 3/ If I am using keycloak for an application which I am planning to roll > out > to production soon, which version would u recommend? 1.2.0.Beta1 is out in a week or two, so I recommend using that. We'll only back-port fixes to 1.1.x if we find critical security issues. > 4/ The above apis are for openid-connect. What are the endpoints available > if > the authorization type is saml? I don't have this off hand, but have a look at the SAML examples and you should find that out easily. Currently we only provide adapters for OpenID Connect. > > Extract from previous email <<Stian>> > > > * Configure adapter using keycloak.json > > > * Implement client side of OAuth2 Authorization Code Grant > > > 1. Generate a state variable and store in a cookie or session > > > 2. Redirect to > > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate > > > uuid>&redirect_uri=<callback uri> > > > 3. Once the user has logged-in it's redirected back to <callback uri> > > > with > > > a code query param > > > 4. Use the code query param to obtain a token by posting to > > > /{realm}/protocols/openid-connect/token the form-data should be > > > grant_type=authorization_code&code=<code> you also need to include a > > > http > > > basic authorization header with client id and secret > > Thanks. > > Kalinga > > > -----Original Message----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > Sent: Tuesday, March 17, 2015 3:55pm > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > Cc: keycloak-user(a)lists.jboss.org > Subject: Re: [keycloak-user] Customization of authentication mechanism and > + > > > > Source code for all adapters is in: > > https://github.com/keycloak/keycloak/tree/master/integration > > ----- Original Message ----- > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > Cc: keycloak-user(a)lists.jboss.org > > Sent: Tuesday, March 17, 2015 11:23:10 AM > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > > > Thanks Stian. :) Let me first go thru the resources I have on the > > website. > > The java source code of the adapter also must be present somewhere for me > > to > > have a look I guess? > > > > Kalinga > > > > -----Original Message----- > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > Sent: Tuesday, March 17, 2015 3:14pm > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > Cc: keycloak-user(a)lists.jboss.org > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > and > > + > > > > > > > > If you have any more questions feel free to ask, anyone contributing code > > gets extra questions answered ;) > > > > > > ----- Original Message ----- > > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > Cc: keycloak-user(a)lists.jboss.org > > > Sent: Tuesday, March 17, 2015 10:41:51 AM > > > Subject: Re: [keycloak-user] Customization of authentication mechanism > > > and > > > + > > > > > > There is no hints regarding adapter logic, but what you'll need is: > > > > > > * Configure adapter using keycloak.json > > > * Implement client side of OAuth2 Authorization Code Grant > > > 1. Generate a state variable and store in a cookie or session > > > 2. Redirect to > > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate > > > uuid>&redirect_uri=<callback uri> > > > 3. Once the user has logged-in it's redirected back to <callback uri> > > > with > > > a code query param > > > 4. Use the code query param to obtain a token by posting to > > > /{realm}/protocols/openid-connect/token the form-data should be > > > grant_type=authorization_code&code=<code> you also need to include a > > > http > > > basic authorization header with client id and secret > > > > > > Once you've done that you should have a token available to the > > > application. > > > Then you have to deal with: > > > > > > * Refreshing token when expired > > > * Handle logout events from Keycloak > > > * Clustering issues > > > * If you want to support creating rest endpoints in PHP you also need > > > to > > > support verifying the bearer token included in authorization header, > > > this > > > can be done by checking the jws signature using the realm public key > > > > > > ----- Original Message ----- > > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > Cc: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Bill Burke" > > > > <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > > > Sent: Tuesday, March 17, 2015 10:26:18 AM > > > > Subject: Re: [keycloak-user] Customization of authentication > > > > mechanism > > > > and > > > > + > > > > > > > > > > > > * I can get a php application in place > > > > > > > > Kalinga > > > > > > > > -----Original Message----- > > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > Sent: Tuesday, March 17, 2015 2:55pm > > > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > > > Subject: Re: [keycloak-user] Customization of authentication > > > > mechanism > > > > and > > > > + > > > > > > > > > > > > > > > > Thanks again. > > > > I need to go thru most documentation to get the hang of it. Will do. > > > > I would love to contribute if u can get a php application in place, > > > > is > > > > it > > > > possible for you to direct me to documentation where there are hints > > > > regarding the adapter logic? > > > > > > > > Kalinga > > > > > > > > > > > > -----Original Message----- > > > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > > Sent: Tuesday, March 17, 2015 2:25pm > > > > To: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > > > > Subject: Re: [keycloak-user] Customization of authentication > > > > mechanism > > > > and > > > > + > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > > To: "Bill Burke" <bburke(a)redhat.com&gt; > > > > > Cc: keycloak-user(a)lists.jboss.org > > > > > Sent: Tuesday, March 17, 2015 8:52:12 AM > > > > > Subject: Re: [keycloak-user] Customization of authentication > > > > > mechanism > > > > > and > > > > > + > > > > > > > > > > > > > > > > > > > > Thanks again for your quick feedbacks. > > > > > > > > > > Sorry I have a number of questions so I will be buzzing u guys > > > > > regularly. > > > > > > > > > > I went through the document for the adapters; > > > > > > > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html > > > > > > > > > > > > > > > > > > > > So lets say I need a php application to be deployed using keycloak > > > > > as > > > > > my > > > > > SSO > > > > > manager application. > > > > > > > > > > So my basic requirement is that user should have the ability to > > > > > signin > > > > > via > > > > > keycloak. I see that there are no dedicated adapters for php (I > > > > > guess > > > > > it > > > > > must be in the works) > > > > > > > > We don't have a PHP adapter, and there's no immediate plans to create > > > > one. > > > > You could use: > > > > > > > > * JavaScript adapter > > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#...) > > > > * Proxy > > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html) > > > > > > > > Alternatively have a look on Google for instructions on using OAuth2 > > > > and/or > > > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have > > > > a > > > > OpenID Connect Discovery endpoint, which should make it easier to use > > > > other > > > > OpenID Connect client libraries with Keycloak. > > > > > > > > If you're willing to contribute a PHP adapter then let me know and I > > > > can > > > > give > > > > you more details on what would be required and some hints to get you > > > > started. > > > > > > > > > > > > > > > > > > > > > > > > Is there a guideline that I should follow if I am to do it > > > > > manually? > > > > > Basically what I should to do replicate what an adapter does (if I > > > > > dont > > > > > want > > > > > to use any adapters or my apps are mobile based or deployed on > > > > > containers > > > > > hat keycloak does not have adapters for). Hope my question is > > > > > clear. > > > > > > > > > > > > > > > > > > > > Kalinga > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: "Bill Burke" <bburke(a)redhat.com&gt; > > > > > Sent: Monday, March 16, 2015 7:46pm > > > > > To: keycloak-user(a)lists.jboss.org > > > > > Subject: Re: [keycloak-user] Customization of authentication > > > > > mechanism > > > > > and > > > > > + > > > > > > > > > > > > > > > > > > > > Minimally you need to import username. Probably email too if you > > > > > want > > > > > to use any of our email-based features. With UserFederationProvider > > > > > you > > > > > can delegate to the third-party storage for other user > > > > > attributes/metadata. > > > > > > > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote: > > > > > > We don't currently have a way to plugin your own authentication > > > > > > mechanism, > > > > > > but this is something we'll be adding. > > > > > > > > > > > > You have two choices when it comes to users, you can either use > > > > > > our > > > > > > user > > > > > > federation provider mechanism to sync between Keycloak and your > > > > > > current > > > > > > db. Or you can migrate the users fully to the Keycloak db. In > > > > > > either > > > > > > case > > > > > > you have an option on overriding how passwords are verified > > > > > > (either > > > > > > UserFederationProvider or by extending an existing UserProvider). > > > > > > With > > > > > > the > > > > > > above authentication mechanism we'll most likely also make the > > > > > > verification of passwords pluggable which would support different > > > > > > hash > > > > > > algorithms. > > > > > > > > > > > > ----- Original Message ----- > > > > > >> From: "Kalinga Dissanayake" <kalinga(a)leapset.com&gt; > > > > > >> To: keycloak-user(a)lists.jboss.org > > > > > >> Sent: Monday, March 16, 2015 10:48:55 AM > > > > > >> Subject: [keycloak-user] Customization of authentication > > > > > >> mechanism > > > > > >> and > > > > > >> + > > > > > >> > > > > > >> > > > > > >> > > > > > >> Guys, > > > > > >> > > > > > >> I need to understand the capability of keycloak with my > > > > > >> requirement > > > > > >> and > > > > > >> to > > > > > >> ensure that keycloak is scalable to meet my needs. My main > > > > > >> requirement > > > > > >> is > > > > > >> to > > > > > >> integrate keycloak to our system to support SSO hence I need to > > > > > >> migrate > > > > > >> my > > > > > >> existing users. My main concerns; > > > > > >> > > > > > >> > > > > > >> > > > > > >> 1/ Customize authentication method. > > > > > >> > > > > > >> I need to authenticate users similar to what we currently use in > > > > > >> our > > > > > >> production system. In our system, users are identified by > > > > > >> username, > > > > > >> password > > > > > >> and the pin. > > > > > >> > > > > > >> For instance; > > > > > >> > > > > > >> User -> jack, password -> pwd, pin -> 50000 > > > > > >> > > > > > >> User should enter all three to login to the system. > > > > > >> > > > > > >> I went through the codebase and I saw that the Authentication > > > > > >> Manager > > > > > >> (which > > > > > >> is a concrete class) does all the work inside keycloak. I > > > > > >> managed > > > > > >> to > > > > > >> customize the frontend with ease, however, in order to support > > > > > >> the > > > > > >> pin > > > > > >> in > > > > > >> the backend seems like I have to customize the > > > > > >> AuthenticationManager > > > > > >> class > > > > > >> (no direct SPIs). > > > > > >> > > > > > >> Although there is a link here; > > > > > >> > > > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authenticat... > > > > > >> > > > > > >> I cant seem to find anything here which matches the current code > > > > > >> base > > > > > >> (to > > > > > >> via > > > > > >> a new authentication method via spis) and the example has been > > > > > >> removed. > > > > > >> > > > > > >> > > > > > >> > > > > > >> 2/ Customize password hashes. > > > > > >> > > > > > >> We have our own algorithm used to store password hashes. What > > > > > >> should > > > > > >> I > > > > > >> do > > > > > >> to > > > > > >> add this to keycloak? > > > > > >> > > > > > >> I do not know the current passwords of the users already in our > > > > > >> system, > > > > > >> so > > > > > >> when doing the migration i need keyclock to support the current > > > > > >> algorithm > > > > > >> we > > > > > >> use. Can we plugin new hashing algorithms to meet my needs? > > > > > >> > > > > > >> > > > > > >> > > > > > >> Any other issues I might face? > > > > > >> > > > > > >> I feel key cloak is the right choice if the above two questions > > > > > >> are > > > > > >> answered. > > > > > >> Please let me know. > > > > > >> > > > > > >> _______________________________________________ > > > > > >> keycloak-user mailing list > > > > > >> keycloak-user(a)lists.jboss.org > > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user(a)lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > -- > > > > > Bill Burke > > > > > JBoss, a division of Red Hat > > > > > http://bill.burkecentral.com > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user(a)lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user(a)lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >