[keycloak-dev] Async authentication example

Hynek Mlnarik hmlnarik at redhat.com
Wed Jul 12 06:24:22 EDT 2017


Great!

For 7.2 and on, action tokens approach is the way, and actually a
quickstart with that has been implemented [1]. Instead of an authenticator
and note manipulation that are necessary for 7.1, it employs required
actions (when action token is used, it just removes the custom required
action).

It uses somewhat similar approach to the SET but currently with a two
tokens - one created and signed by Keycloak used to reenter the
authentication flow when the app completes its flow, and the other signed
by the app to have certain chance that the response has indeed been
generated by the correct app. For details see README.md.

[1] https://github.com/keycloak/keycloak-quickstarts/pull/37

On Tue, Jul 11, 2017 at 7:10 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Really nice !
>
> On Tue, Jul 11, 2017 at 9:29 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> > I gave it a go and implemented an "async" authentication example. It's
> > rather simple what happens is:
> >
> > * User authenticates with username only
> > * Then a "waiting" page is displayed, which is waiting for some external
> > callback. This could be an app or whatever that verifies the user then
> > sends the callback. In the example a CURL command is printed on sysout
> for
> > the server which you can run to "simulate" the callback from the app.
> > * Once the callback is received the user is authenticated without filling
> > in password or any other credentials in the main browser
> >
>
> Maybe you can use a SET [1], which is basically a JWT, in order to
> communicate authentication events between parties. For instance, send
> additional data to the external callback about the authentication context
> and receive back from the external callback information on how to proceed
> with the authentication.
>
> [1] https://tools.ietf.org/html/draft-hunt-idevent-token-03
>
>
> >
> > https://github.com/stianst/authenticator-example
> >
> > Check it out here:
> > https://youtu.be/C09BpNIf4v8
> >
> > It's a bit hacky in the way it's implemented:
> >
> > * Using notes for "callback" is a bit strange maybe?
> > * Had to use custom realm resource for callback endpoint. Is this
> strange?
> > * Probably won't work for cross DC, but in 7.2 Hynek has stuff that does
> > that
> > * No way to push change to browser, so have to pull every 2 seconds.
> Maybe
> > we could add a simple authentication event feature that uses websockets
> and
> > a small auth js lib to do the job of notification?
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 

--Hynek


More information about the keycloak-dev mailing list