[keycloak-dev] Async authentication example
Hynek Mlnarik
hmlnarik at redhat.com
Wed Jul 19 09:44:25 EDT 2017
Just added the example -
https://github.com/keycloak/keycloak-quickstarts/tree/master/action-token-authenticator
--Hynek
On Wed, Jul 12, 2017 at 12:46 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>
> On 12 July 2017 at 12:24, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>>
>> Great!
>>
>> For 7.2 and on, action tokens approach is the way, and actually a
>> quickstart with that has been implemented [1]. Instead of an authenticator
>> and note manipulation that are necessary for 7.1, it employs required
>> actions (when action token is used, it just removes the custom required
>> action).
>>
>> It uses somewhat similar approach to the SET but currently with a two
>> tokens - one created and signed by Keycloak used to reenter the
>> authentication flow when the app completes its flow, and the other signed by
>> the app to have certain chance that the response has indeed been generated
>> by the correct app. For details see README.md.
>
>
> Action tokens may work in some situations, but may not always work. If there
> is a specific protocol being used (for example BankID
> https://www.bankid.com/) it may demand a certain callback format in which
> case we would have to implement a custom realm resource to handle the
> callback.
>
> Hynek - could you create a fork of my example that uses action tokens?
>
>>
>>
>> [1] https://github.com/keycloak/keycloak-quickstarts/pull/37
>>
>> On Tue, Jul 11, 2017 at 7:10 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>>
>>> Really nice !
>>>
>>> On Tue, Jul 11, 2017 at 9:29 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>> > I gave it a go and implemented an "async" authentication example. It's
>>> > rather simple what happens is:
>>> >
>>> > * User authenticates with username only
>>> > * Then a "waiting" page is displayed, which is waiting for some
>>> > external
>>> > callback. This could be an app or whatever that verifies the user then
>>> > sends the callback. In the example a CURL command is printed on sysout
>>> > for
>>> > the server which you can run to "simulate" the callback from the app.
>>> > * Once the callback is received the user is authenticated without
>>> > filling
>>> > in password or any other credentials in the main browser
>>> >
>>>
>>> Maybe you can use a SET [1], which is basically a JWT, in order to
>>> communicate authentication events between parties. For instance, send
>>> additional data to the external callback about the authentication context
>>> and receive back from the external callback information on how to proceed
>>> with the authentication.
>>>
>>> [1] https://tools.ietf.org/html/draft-hunt-idevent-token-03
>>>
>>>
>>> >
>>> > https://github.com/stianst/authenticator-example
>>> >
>>> > Check it out here:
>>> > https://youtu.be/C09BpNIf4v8
>>> >
>>> > It's a bit hacky in the way it's implemented:
>>> >
>>> > * Using notes for "callback" is a bit strange maybe?
>>> > * Had to use custom realm resource for callback endpoint. Is this
>>> > strange?
>>> > * Probably won't work for cross DC, but in 7.2 Hynek has stuff that
>>> > does
>>> > that
>>> > * No way to push change to browser, so have to pull every 2 seconds.
>>> > Maybe
>>> > we could add a simple authentication event feature that uses websockets
>>> > and
>>> > a small auth js lib to do the job of notification?
>>> > _______________________________________________
>>> > keycloak-dev mailing list
>>> > keycloak-dev at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>>
>> --
>>
>> --Hynek
>
>
--
--Hynek
More information about the keycloak-dev
mailing list