[keycloak-dev] Async authentication example
Stian Thorgersen
sthorger at redhat.com
Wed Jul 12 06:46:55 EDT 2017
On 12 July 2017 at 12:24, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
> Great!
>
> For 7.2 and on, action tokens approach is the way, and actually a
> quickstart with that has been implemented [1]. Instead of an authenticator
> and note manipulation that are necessary for 7.1, it employs required
> actions (when action token is used, it just removes the custom required
> action).
>
> It uses somewhat similar approach to the SET but currently with a two
> tokens - one created and signed by Keycloak used to reenter the
> authentication flow when the app completes its flow, and the other signed
> by the app to have certain chance that the response has indeed been
> generated by the correct app. For details see README.md.
>
Action tokens may work in some situations, but may not always work. If
there is a specific protocol being used (for example BankID
https://www.bankid.com/) it may demand a certain callback format in which
case we would have to implement a custom realm resource to handle the
callback.
Hynek - could you create a fork of my example that uses action tokens?
>
> [1] https://github.com/keycloak/keycloak-quickstarts/pull/37
>
> On Tue, Jul 11, 2017 at 7:10 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Really nice !
>>
>> On Tue, Jul 11, 2017 at 9:29 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>> > I gave it a go and implemented an "async" authentication example. It's
>> > rather simple what happens is:
>> >
>> > * User authenticates with username only
>> > * Then a "waiting" page is displayed, which is waiting for some external
>> > callback. This could be an app or whatever that verifies the user then
>> > sends the callback. In the example a CURL command is printed on sysout
>> for
>> > the server which you can run to "simulate" the callback from the app.
>> > * Once the callback is received the user is authenticated without
>> filling
>> > in password or any other credentials in the main browser
>> >
>>
>> Maybe you can use a SET [1], which is basically a JWT, in order to
>> communicate authentication events between parties. For instance, send
>> additional data to the external callback about the authentication context
>> and receive back from the external callback information on how to proceed
>> with the authentication.
>>
>> [1] https://tools.ietf.org/html/draft-hunt-idevent-token-03
>>
>>
>> >
>> > https://github.com/stianst/authenticator-example
>> >
>> > Check it out here:
>> > https://youtu.be/C09BpNIf4v8
>> >
>> > It's a bit hacky in the way it's implemented:
>> >
>> > * Using notes for "callback" is a bit strange maybe?
>> > * Had to use custom realm resource for callback endpoint. Is this
>> strange?
>> > * Probably won't work for cross DC, but in 7.2 Hynek has stuff that does
>> > that
>> > * No way to push change to browser, so have to pull every 2 seconds.
>> Maybe
>> > we could add a simple authentication event feature that uses websockets
>> and
>> > a small auth js lib to do the job of notification?
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>
> --
>
> --Hynek
>
More information about the keycloak-dev
mailing list