[keycloak-dev] Customising Keycloak Authentication flow

Lakshmi Narayana VADALI (lvadali) lvadali at cisco.com
Tue Sep 9 05:32:03 EDT 2014


Thanks for the quick reply.

We are planning to authenticate a device(client) which will come with its certificate. It seems two extension points may not work for the requirement we have.

The cert implementation for keycloak that is planned may not work for us,  as we need to handle this authentication differently.
 For, e.g., we can’t configure the Realm client’s trust store to contain  certificates from all clients. In absence of  this we will 
need the client to provide its certificate which is signed by  a specific CA root authority and also  establish that it owns the private key 
for this certificate.

Can you please help us understand 
1. what kind of hooks are planned and when they are planned?
2. Will the hook help in  building  2-step authentication we need?(2-step authentication explained in my initial mail)

Thanks,
Lakshmi Narayana V

-----Original Message-----
From: Stian Thorgersen [mailto:stian at redhat.com] 
Sent: Tuesday, September 09, 2014 1:39 PM
To: Lakshmi Narayana VADALI (lvadali)
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Customising Keycloak Authentication flow

Afraid at the moment we don't have any proper way to hook into this, but we are planning to add this in the future.

I'm assuming you're authenticating clients, not users? If so that's something we plan to add support for at some point.

We'll probably add two extension points, one for adding custom login for users (for example a hardware multi-factor auth or even fingerprint scanner) and another for authenticating clients (certificate, jwt, etc.).

----- Original Message -----
> From: "Lakshmi Narayana VADALI (lvadali)" <lvadali at cisco.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 9 September, 2014 7:48:44 AM
> Subject: [keycloak-dev] Customising Keycloak Authentication flow
> 
> 
> 
> Hi ,
> 
> 
> 
> Instead of Existing one step authentication(user/pass), We need custom 
> certificate based authentication which is 2-step Authentication as below:
> 
> 1. Bypass Login screen , instead generate nonce(UUID) and provide 
> intermediate Endpoint URL for Certificate based authentication.
> 
> 2. Client will come to Certificate based authentication with its 
> certificate and encrypted UUID. After Validating Encrypted UUID
> 
> and Client certificate server should generate “Access code”.
> 
> 
> 
> We have gone through 1.3 Beta source code and realised to achieve this 
> following code changes are needed
> 
> 1. Changes in TokenService class (login method) to bypass login form 
> and generate UUID.
> 
> 2. Preserve UUID and url parameters obtained during the call in 
> TokenManager .
> 
> 3. Redirect to custom_endpoint where client will submit its 
> certificate and encrypted nonce.
> 
> This end point will generate “access Code” once cert authentication 
> completed.
> 
> 
> 
> It looks we need to make changes in some of core files like 
> TokenService,TokenManager,OAuthFlows,...
> 
> Can you please let us know if there is any we can achieve this 
> customization just by hooking our code
> 
> (without modifying).
> 
> 
> 
> Thanks,
> 
> Lakshmi Narayana V
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list