9:12 a.m.
Hi
According to the Security APP Documentation , I can provide an adapter
config file in WAR and change the auth-method to KEYCLOAK within web.xml.
Alternatively, I don’t have to modify WAR at all and I can secure it via
the Keycloak adapter subsystem configuration in the configuration file,
such as standalone.xml
But my app have a FORM Login Authentication mechanism: in web.xml I have so
<login-config>
<auth-method>FORM</auth-method>
<realm-name></realm-name>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
and accoding to this the Login.jsp is submitting value to the
"j_security_check"
I want continue to use this but I want KEYCLOAK take control to check
credentials (and manage the OTP)
It is not clear (not able to found) if there is some "standard" adapater or
login module available and the "name" to give to the OTP field in the login
form
e.g. using PicketBox
https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
but now PicketLink and Keycloak projects are merged and I want to use a
similar way using OTP and the Keycloak server
So I'm looking for the Keycloak replacement of JBossTimeBasedOTPLoginModule
(and related setup)
<login-module
code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
Do you have any idea?
Thanks
2:21 a.m.
I am not sure what exactly you want to achieve? Do you want:
a) SSO login, which means that your application will redirect to
Keycloak and the login forms will be displayed by Keycloak?
b) Or do you want your application to "display" the login forms?
The Keycloak is SSO, so it is highly recommended to use the use-case
(a). In that case, you need to change the "auth-method" to KEYCLOAK as
you pointed (in case that your application is deployed on Wildfly
server). It is recommended to try some Keycloak quickstarts. Once your
application redirects to Keycloak, you can just configure OTP
authenticator on the Keycloak side and you don't need to configure
anything more on your application side. The used authenticators and
authentication mechanisms will be completely controlled by Keycloak.
Marek
On 02. 09. 19 16:12, R M wrote:
Hi
According to the Security APP Documentation , I can provide an adapter
config file in WAR and change the auth-method to KEYCLOAK within web.xml.
Alternatively, I don’t have to modify WAR at all and I can secure it via
the Keycloak adapter subsystem configuration in the configuration file,
such as standalone.xml
But my app have a FORM Login Authentication mechanism: in web.xml I have so
<login-config>
<auth-method>FORM</auth-method>
<realm-name></realm-name>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.jsp</form-error-page>
</form-login-config>
</login-config>
and accoding to this the Login.jsp is submitting value to the
"j_security_check"
I want continue to use this but I want KEYCLOAK take control to check
credentials (and manage the OTP)
It is not clear (not able to found) if there is some "standard" adapater or
login module available and the "name" to give to the OTP field in the login
form
e.g. using PicketBox
https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
but now PicketLink and Keycloak projects are merged and I want to use a
similar way using OTP and the Keycloak server
So I'm looking for the Keycloak replacement of JBossTimeBasedOTPLoginModule
(and related setup)
<login-module
code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
Do you have any idea?
Thanks
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:53 a.m.
Hi Marek and Thanks
But unfortunately I want archive your point B
I can understand that from security point of view the recommendation is to
use scenario A (and already tested enabling otp and using the freeOTP app
on mobile) but I must go with scenario B
I see some standard login modules available but seems not available the one
based on OTP
I hope someone already developed
Roberto
Il giorno mar 3 set 2019 alle 09:21 Marek Posolda <mposolda(a)redhat.com> ha
scritto:
I am not sure what exactly you want to achieve? Do you want:
a) SSO login, which means that your application will redirect to
Keycloak and the login forms will be displayed by Keycloak?
b) Or do you want your application to "display" the login forms?
The Keycloak is SSO, so it is highly recommended to use the use-case
(a). In that case, you need to change the "auth-method" to KEYCLOAK as
you pointed (in case that your application is deployed on Wildfly
server). It is recommended to try some Keycloak quickstarts. Once your
application redirects to Keycloak, you can just configure OTP
authenticator on the Keycloak side and you don't need to configure
anything more on your application side. The used authenticators and
authentication mechanisms will be completely controlled by Keycloak.
Marek
On 02. 09. 19 16:12, R M wrote:
> Hi
>
> According to the Security APP Documentation , I can provide an adapter
> config file in WAR and change the auth-method to KEYCLOAK within web.xml.
> Alternatively, I don’t have to modify WAR at all and I can secure it via
> the Keycloak adapter subsystem configuration in the configuration file,
> such as standalone.xml
>
> But my app have a FORM Login Authentication mechanism: in web.xml I have
so
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name></realm-name>
> <form-login-config>
> <form-login-page>/Login.jsp</form-login-page>
> <form-error-page>/LoginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> and accoding to this the Login.jsp is submitting value to the
> "j_security_check"
>
> I want continue to use this but I want KEYCLOAK take control to check
> credentials (and manage the OTP)
>
> It is not clear (not able to found) if there is some "standard" adapater
or
> login module available and the "name" to give to the OTP field in the
login
> form
>
> e.g. using PicketBox
>
https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
>
> but now PicketLink and Keycloak projects are merged and I want to use a
> similar way using OTP and the Keycloak server
>
> So I'm looking for the Keycloak replacement of
JBossTimeBasedOTPLoginModule
> (and related setup)
>
> <login-module
> code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
>
>
> Do you have any idea?
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
10:02 a.m.
Yes, there is no login module for OTP. The Keycloak has
DirectAccessGrantsLoginModule class, which has support for username and
password only and it is using Direct Grant (OAuth2 Resource Owner
Password Credential Grant) under the covers. You may need to create your
own login module similar to that one, which will add also the parameter
"totp" - you can look at Keycloak class ValidateOTP for the details.
Alternatively, you can avoid servlet security entirely and somehow
manage security in your web application by yourself (manually creating
all the forms etc) and you can manually send Direct Grant request
(OAuth2 Resource Owner Password Credentials request) including "totp"
parameter.
TBH both options are not trivial and I will really try to avoid them and
go for the option (a). Among the mentioned complications of option (b),
it has lots of other advantages.
Marek
On 03. 09. 19 15:53, R M wrote:
Hi Marek and Thanks
But unfortunately I want archive your point B
I can understand that from security point of view the recommendation
is to use scenario A (and already tested enabling otp and using the
freeOTP app on mobile) but I must go with scenario B
I see some standard login modules available but seems not available
the one based on OTP
I hope someone already developed
Roberto
Il giorno mar 3 set 2019 alle 09:21 Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> ha scritto:
I am not sure what exactly you want to achieve? Do you want:
a) SSO login, which means that your application will redirect to
Keycloak and the login forms will be displayed by Keycloak?
b) Or do you want your application to "display" the login forms?
The Keycloak is SSO, so it is highly recommended to use the use-case
(a). In that case, you need to change the "auth-method" to
KEYCLOAK as
you pointed (in case that your application is deployed on Wildfly
server). It is recommended to try some Keycloak quickstarts. Once
your
application redirects to Keycloak, you can just configure OTP
authenticator on the Keycloak side and you don't need to configure
anything more on your application side. The used authenticators and
authentication mechanisms will be completely controlled by Keycloak.
Marek
On 02. 09. 19 16:12, R M wrote:
> Hi
>
> According to the Security APP Documentation , I can provide an
adapter
> config file in WAR and change the auth-method to KEYCLOAK within
web.xml.
> Alternatively, I don’t have to modify WAR at all and I can
secure it via
> the Keycloak adapter subsystem configuration in the
configuration file,
> such as standalone.xml
>
> But my app have a FORM Login Authentication mechanism: in
web.xml I have so
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name></realm-name>
> <form-login-config>
> <form-login-page>/Login.jsp</form-login-page>
> <form-error-page>/LoginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> and accoding to this the Login.jsp is submitting value to the
> "j_security_check"
>
> I want continue to use this but I want KEYCLOAK take control to
check
> credentials (and manage the OTP)
>
> It is not clear (not able to found) if there is some "standard"
adapater or
> login module available and the "name" to give to the OTP field
in the login
> form
>
> e.g. using PicketBox
>
https://developer.jboss.org/wiki/OTPIntegrationWithJBossApplicationServer
>
> but now PicketLink and Keycloak projects are merged and I want
to use a
> similar way using OTP and the Keycloak server
>
> So I'm looking for the Keycloak replacement of
JBossTimeBasedOTPLoginModule
> (and related setup)
>
> <login-module
>
code="org.jboss.security.auth.spi.otp.JBossTimeBasedOTPLoginModule" />
>
>
> Do you have any idea?
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
1941
days inactive
1942
days old
3 comments
2 participants
participants (2)
-
Marek Posolda -
R M