[keycloak-dev] Openshift Identity Provider for KeyCloak

Bartosz Majsak bartosz at redhat.com
Thu Feb 16 13:57:03 EST 2017


redirect_uri is part of the OAuth spec, so it should.

That’s totally correct. My bad, I must have been in a rabbit hole chasing
bunch of other issues in my code and somehow assumed that was the root
cause. In fact it works with and w/o it, as redirect uri is configured when
you register a client in Openshift [1].

But still, I cannot simply use OIDC as it adds openid to the scope and this
results in Openshift OAuth server complaining about the request - "Invalid
value: "openid": no scope handler found"

My implementation is based on AbstractOAuth2IdentityProvider and in fact it
only differs when it comes to extracting profile information (other changes
done in the project I shared in the opening mail are not feasible to make
it upstream).

To elaborate a bit on the use-case: our DevTools project will need to have
an access to user’s OSO resources such as projects and thus we need such
integration. We can live with SPI extension, but if you feel like it would
be beneficial to the project I’m more than happy to contribute this piece
(and improved based upon feedback from the PR).

Cheers,
Bartosz.

[1]
https://docs.openshift.org/latest/architecture/additional_concepts/authentication.html#oauth-clients
​

On Wed, Feb 15, 2017 at 3:30 PM, Bill Burke <bburke at redhat.com> wrote:

> redirect_uri is part of the OAuth spec, so it should.  Without a
> redirect URI, the IDP is supposed to abort authentication as this URI is
> validated.  You don't want to deliver an access code to a rogue URL.
>
>
> On 2/15/17 6:38 AM, Bartosz Majsak wrote:
> > OpenShift should authenticate against Keycloak (or another IdP) at least
> > for on-prem installations.
> >
> > This is intended primarily for OSO I believe.
> >
> > For OpenShift Online I see a use-case for this, but in that case can it
> not
> > just use the OIDC provider?
> >
> > One issue I can already point out is that when using OIDC provider
> > authorization URL created by an AbstractOAuth2IdentityProvider will
> result
> > in bad request from OpenShift OAuth server, as it doesn’t accept
> > redirect_uri as a valid request parameter. At least when tested against
> > minishift.
> > ​
> >
> > On Wed, Feb 15, 2017 at 12:29 PM, Stian Thorgersen <sthorger at redhat.com>
> > wrote:
> >
> >> Not sure to be honest. Strictly speaking it should be the other way
> >> around. OpenShift should authenticate against Keycloak (or another IdP)
> at
> >> least for on-prem installations. For OpenShift Online I see a use-case
> for
> >> this, but in that case can it not just use the OIDC provider?
> >>
> >> On 15 February 2017 at 02:46, Bartosz Majsak <bartosz at redhat.com>
> wrote:
> >>
> >>> Hi,
> >>>
> >>> I've implemented Openshift Identity Provider for KeyCloak [1]. Would
> you
> >>> be
> >>> interested in getting it upstream?
> >>>
> >>> Cheers,
> >>> Bartosz.
> >>>
> >>> [1] https://github.com/bartoszmajsak/keycloak-
> openshift-identity-provider
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list