[keycloak-dev] Proposal of using existing authentication and authorization server on behalf of keycloak browser-based authentication

Stian Thorgersen sthorger at redhat.com
Mon Aug 14 06:57:28 EDT 2017


I'm not really following what you are proposing to contribute to Keycloak.
We already have the SPI that allows adding a custom provider if your IdP
doesn't support SAML or OpenID Connect.

On 31 July 2017 at 06:09, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:

> Hello.
>
> Previously, I had proposed the feature and its implementation of
> delegating authentication and authorization to an external existing server
> on behalf of keycloak's browser-based authentication mechanism, and had
> gotten advices that it is appropriate to use Identity Brokering for such
> the feature.
>
> I've re-implemented this feature again by Identity Brokering. The
> description and implementation of this feature is mentioned below.
> https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent
> https://github.com/Hitachi/PoV-keycloak-delegate-authn-
> consent/tree/master/src/keycloak/examples/providers/delegate-authn-consent
> It can delegate not only authentication but authorization(consent).
>
> Kindly review it and provide us some comment and advices.
> We would like to contribute this feature onto keycloak.
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> ---
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: Thursday, June 29, 2017 6:23 PM
> To: 乗松隆志 / NORIMATSU,TAKASHI
> Cc: keycloak-dev at lists.jboss.org
> Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication
> server on behalf of keycloak browser-based authentication
>
> There's an SPI to implement your own custom identity brokering provider
> [1].
>
> [1] https://github.com/keycloak/keycloak/blob/master/
> server-spi-private/src/main/java/org/keycloak/broker/
> provider/IdentityProvider.java
>
> On 29 June 2017 at 10:51, 乗松隆志 / NORIMATSU,TAKASHI <
> takashi.norimatsu.ws at hitachi.com> wrote:
> I need to use the authentication server without OIDC/OAuth2/SAMLv2
> implementation as an external IdP,
> in order to integrate existing authentication system.
> (some commercial products supports such the case)
>
> I consulted identity broker's section in keycloak's manual below and found
> that if I use this feature the external IdP must support OIDC or SAMLv2.
> https://keycloak.gitbooks.io/documentation/server_admin/
> topics/identity-broker.html
>
> Therefore, I realized it by using redirect based authentication flows.
>
> Can identity Brokering can support such the case?
>
> Aside from this, I'd like to contribute it to Community extensions and
> examples.
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> ---
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: Tuesday, June 27, 2017 5:52 PM
> To: 乗松隆志 / NORIMATSU,TAKASHI
> Cc: keycloak-dev at lists.jboss.org
> Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication
> server on behalf of keycloak browser-based authentication
>
> I'm not in favour of adding this. If it's using redirect based
> authentication flows it should be done through identity brokering, not
> authentication flows. It's also a very complex example that we don't want
> to maintain. We've also in the process of moving all examples away from the
> main Keycloak repository into a separate quickstart repository.
>
> On 27 June 2017 at 08:54, 乗松隆志 / NORIMATSU,TAKASHI <
> takashi.norimatsu.ws at hitachi.com> wrote:
> Hello.
>
> Previously, I had proposed the feature of delegating authentication to an
> external authentication server on behalf of keycloak's browser-based
> authentication mechanism.
>
> I've integrated this feature to keycloak's "examples" packages and send PR
> (https://github.com/keycloak/keycloak/pull/4260).
> Hope this PR is reviewed and merged as an example for combining some
> providers to customize keycloak.
>
> Detailed description of this feature is mentioned below.
> https://github.com/Hitachi/PoV-keycloak-authentication-delegation
>
> I am now engaging in integrating this feature to keycloak as product-base
> default providers, but encounter technical problems about writing
> arquillian. Would someone tell me how to resolve this problem?
>
> [Problem]
> - I could not find how to run an external authentication
> server(application running on wildfly 10) during each arquillian test cases.
>
> After resolving this problem and writing and running arquillian test
> cases, I'll send PR for this feature as product-base default providers.
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list