[keycloak-dev] Spring Security for Keycloak Contribution
Scott Rossillo
srossillo at smartling.com
Tue Apr 21 13:08:33 EDT 2015
Good point, all the more reason to implement as a Keycloak adapter.
> On Apr 21, 2015, at 1:06 PM, Bill Burke <bburke at redhat.com> wrote:
>
> FYI: Generic OIDC is not enough. OIDC does not have a SP logout callback. So, the admin console would not be able to remotely logout the user. There's also a few other events that the admin console can push to SPs, i.e. Not-before policies, and later on, black/white lists.
>
> On 4/21/2015 11:19 AM, Scott Rossillo wrote:
>> Hi Bill,
>>
>> I’ll try to get some code out soon so we can review. The adapter core does take care of a lot of the integration with KC and verification, which can be reused. The main component from adapter core that’s helpful is RequestAuthenticator, which means I'll implement a few abstract methods, and provide implementations of HttpFacade and AdapterTokenStore.
>>
>> The main Spring classes for authentication are an AuthenticationProcessingFilter and an AuthenticationProvider. The AuthenticationProcessingFilter will delegate authentication and authorization requests to an implementation of RequestAuthenticator and the AuthenticationProcessingFilter basically votes on whether or not to accept the authentication.
>>
>> If I was going to do this without RequestAuthenticator, I may as well write a generic Spring Security OIDC client, but that would be ton more work and would be more difficult to configure. I like how the adapters let users get started quickly, by adding a library and inserting the generated keycloak.json file into their deployment. The main goal of the Kyecloak Spring Security adapter is to eliminate the requirement that we use web.xml security constraints and the need for a container specific adapter.
>>
>> Spring Security is a lot more flexible than the servlet security spec on what endpoints should be protected and how. A lot of Spring Security users are accustomed to that flexibility and I'd like to bring that to Keycloak while maintaining your adapter deployment simplicity.
>>
>> ~ Scott
>>
>>
>>> On Apr 21, 2015, at 10:53 AM, Bill Burke <bburke at redhat.com> wrote:
>>>
>>> FYI, Our common adapter module is a bit convoluted as it is shared
>>> between different versions of Jetty, Tomcat, JBoss, and Wildfly who all
>>> do security a bit differently. A pure Spring adapter would be great,
>>> but we have zero experience with Spring Security. I've done some
>>> component integration work with core Spring awhile back, but nothing for
>>> years.
>>>
>>> On 4/21/2015 2:47 AM, Stian Thorgersen wrote:
>>>> It's been years since I last looked at Spring, so I'm not the person to ask ;)
>>>>
>>>> It sounds like the pure Spring Security Adapter is the better option. You should at try to use code from integration/adapter-core module as that's used as the core for all our current Java based adapters. Also, it should be configurable by supplying a keycloak.json file.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Scott Rossillo" <srossillo at smartling.com>
>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>> Cc: "keycloak-dev" <keycloak-dev at lists.jboss.org>
>>>>> Sent: Tuesday, 21 April, 2015 1:02:28 AM
>>>>> Subject: Re: [keycloak-dev] Spring Security for Keycloak Contribution
>>>>>
>>>>> Hi,
>>>>>
>>>>> There are two different approaches here. The project I mentioned still relies
>>>>> on a Keycloak adapter being present in the servlet container. It’s not quite
>>>>> the final product I need but it would be useful to people who can declare
>>>>> their protected resources in web.xml.
>>>>>
>>>>> What I’m working on now is a Keycloak adapter-less Spring Security
>>>>> integration. Basically, it’s a Keycloak Spring Security Adapter that can
>>>>> stand on it’s own and protect resources based on the Spring Security
>>>>> configuration. It’s this latter implementation that I believe has the most
>>>>> value.
>>>>>
>>>>> Question for you: Do you want to see both approaches covered or is one
>>>>> approach more in line with the Keycloak project’s goals?
>>>>>
>>>>> In my option, the latter, Keycloak Spring Security Adapter, is of more value,
>>>>> but please let me know your thoughts.
>>>>>
>>>>> Thanks in advance,
>>>>> Scott
>>>>>
>>>>>
>>>>>> On Apr 16, 2015, at 9:24 AM, Stian Thorgersen <stian at redhat.com> wrote:
>>>>>>
>>>>>> If you can prepare a PR for it that'd be great. Please add a
>>>>>> 'spring-security' module within the integration module where all the other
>>>>>> adapters live. Also, to create a distribution archive for the adapter
>>>>>> please add a module inside distribution that packages it up (look at
>>>>>> existing modules there for a reference).
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Scott Rossillo" <srossillo at smartling.com>
>>>>>>> To: "keycloak-dev" <keycloak-dev at lists.jboss.org>
>>>>>>> Sent: Thursday, April 16, 2015 3:08:13 PM
>>>>>>> Subject: [keycloak-dev] Spring Security for Keycloak Contribution
>>>>>>>
>>>>>>> Good morning,
>>>>>>>
>>>>>>> As I mentioned a few days ago on the users mailing list, we developed an
>>>>>>> integration between the Keycloak Adapter and Spring Security. The
>>>>>>> announcement can be found here:
>>>>>>>
>>>>>>> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001992.html
>>>>>>>
>>>>>>> The code is here:
>>>>>>> http://smartling.github.io/spring-security-keycloak/
>>>>>>> Would you be interested in either:
>>>>>>> 1. Us contributing the code to the Keycloak project or
>>>>>>> 2. You integrating the code into the Keycloak project
>>>>>>>
>>>>>>> We released the code under the Apache 2.0 license to be compatible with
>>>>>>> the
>>>>>>> Keycloak project. Let me know your thoughts.
>>>>>>> Best,
>>>>>>> Scott
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
More information about the keycloak-dev
mailing list