[keycloak-dev] Proposal of using existing authentication and authorization server on behalf of keycloak browser-based authentication

Stian Thorgersen sthorger at redhat.com
Thu Aug 17 00:53:56 EDT 2017


So rather than using standard protocols (OIDC or SAML) you've come up with
your own custom protocol that folks would have to implement instead?

On 31 July 2017 at 06:09, 乗松隆志 / NORIMATSU,TAKASHI <
takashi.norimatsu.ws at hitachi.com> wrote:

> Hello.
>
> Previously, I had proposed the feature and its implementation of
> delegating authentication and authorization to an external existing server
> on behalf of keycloak's browser-based authentication mechanism, and had
> gotten advices that it is appropriate to use Identity Brokering for such
> the feature.
>
> I've re-implemented this feature again by Identity Brokering. The
> description and implementation of this feature is mentioned below.
> https://github.com/Hitachi/PoV-keycloak-delegate-authn-consent
> https://github.com/Hitachi/PoV-keycloak-delegate-authn-
> consent/tree/master/src/keycloak/examples/providers/delegate-authn-consent
> It can delegate not only authentication but authorization(consent).
>
> Kindly review it and provide us some comment and advices.
> We would like to contribute this feature onto keycloak.
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> ---
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: Thursday, June 29, 2017 6:23 PM
> To: 乗松隆志 / NORIMATSU,TAKASHI
> Cc: keycloak-dev at lists.jboss.org
> Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication
> server on behalf of keycloak browser-based authentication
>
> There's an SPI to implement your own custom identity brokering provider
> [1].
>
> [1] https://github.com/keycloak/keycloak/blob/master/
> server-spi-private/src/main/java/org/keycloak/broker/
> provider/IdentityProvider.java
>
> On 29 June 2017 at 10:51, 乗松隆志 / NORIMATSU,TAKASHI <
> takashi.norimatsu.ws at hitachi.com> wrote:
> I need to use the authentication server without OIDC/OAuth2/SAMLv2
> implementation as an external IdP,
> in order to integrate existing authentication system.
> (some commercial products supports such the case)
>
> I consulted identity broker's section in keycloak's manual below and found
> that if I use this feature the external IdP must support OIDC or SAMLv2.
> https://keycloak.gitbooks.io/documentation/server_admin/
> topics/identity-broker.html
>
> Therefore, I realized it by using redirect based authentication flows.
>
> Can identity Brokering can support such the case?
>
> Aside from this, I'd like to contribute it to Community extensions and
> examples.
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> ---
> From: Stian Thorgersen [mailto:sthorger at redhat.com]
> Sent: Tuesday, June 27, 2017 5:52 PM
> To: 乗松隆志 / NORIMATSU,TAKASHI
> Cc: keycloak-dev at lists.jboss.org
> Subject: [!]Re: [keycloak-dev] Proposal of using existing authentication
> server on behalf of keycloak browser-based authentication
>
> I'm not in favour of adding this. If it's using redirect based
> authentication flows it should be done through identity brokering, not
> authentication flows. It's also a very complex example that we don't want
> to maintain. We've also in the process of moving all examples away from the
> main Keycloak repository into a separate quickstart repository.
>
> On 27 June 2017 at 08:54, 乗松隆志 / NORIMATSU,TAKASHI <
> takashi.norimatsu.ws at hitachi.com> wrote:
> Hello.
>
> Previously, I had proposed the feature of delegating authentication to an
> external authentication server on behalf of keycloak's browser-based
> authentication mechanism.
>
> I've integrated this feature to keycloak's "examples" packages and send PR
> (https://github.com/keycloak/keycloak/pull/4260).
> Hope this PR is reviewed and merged as an example for combining some
> providers to customize keycloak.
>
> Detailed description of this feature is mentioned below.
> https://github.com/Hitachi/PoV-keycloak-authentication-delegation
>
> I am now engaging in integrating this feature to keycloak as product-base
> default providers, but encounter technical problems about writing
> arquillian. Would someone tell me how to resolve this problem?
>
> [Problem]
> - I could not find how to run an external authentication
> server(application running on wildfly 10) during each arquillian test cases.
>
> After resolving this problem and writing and running arquillian test
> cases, I'll send PR for this feature as product-base default providers.
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list