[keycloak-dev] Integration with GuardianKey

Paulo Angelo pa at pauloangelo.com
Sun Feb 3 19:21:46 EST 2019 

Dmitry and Aléxis,

Thank you very much for the directions. We are going to work on it.

regards,

Paulo Angelo

On Sun, Feb 3, 2019 at 8:06 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hello Paulo,
>
> To add to Alexis's reply, you can use Script authenticator [1]. It's
> especially good for prototyping since you don't have to create and deploy
> the whole provider module.
>
> Also, you'll need an HttpClient instance to be able to perform external
> HTTP requests, see [2] for that.
>
> [1] https://www.keycloak.org/docs/latest/server_admin/#executions
> [2]
> http://lists.jboss.org/pipermail/keycloak-user/2018-November/016456.html
>
> Good luck,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Sun, 2019-02-03 at 17:46 -0200, Alexis Almeida wrote:
> > Hi Paulo,
> >
> > IMO the simplest way to do this is with an Authenticator Provider. Please
> > see here:
> >
> >
> https://www.keycloak.org/docs/latest/server_development/index.html#implementing-an-authenticator
> > .
> >
> > In the authenticate method you can call the GuardianKey and, depending on
> > the result, you call a context.success () or context.failure ().
> >
> > Like this:
> >
> > public void authenticate(AuthenticationFlowContext context) {
> > ...
> > if(!GuardianKeyValidation){
> >    Response challenge = context.form()
> >                 .setError("something")
> >                 .createForm("error_page.ftl");
> >
> >  context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS,
> > challenge);
> >    return;
> > }
> > ...
> > context.success();
> > }
> >
> > Aléxis
> >
> >
> > > Em dom, 3 de fev de 2019 às 15:38, Paulo Angelo <pa at pauloangelo.com>
> > escreveu:
> >
> > > Hi all,
> > >
> > > We are trying to integrate KeyCloak with GuardianKey. However, we have
> > > doubts related to the best way to do this and the best point in the
> > > KeyCloak’s code for this integration.
> > >
> > > GuardianKey is a service to protect systems against authentication
> attacks.
> > > It uses Machine Learning and analyses the user's behavior, threat
> > > intelligence and psychometrics (or behavioral biometrics). The
> protected
> > > system (in the concrete case, KeyCloak) must send an event via REST
> for the
> > > GuardianKey on each login attempt. More info at https://guardiankey.io
> .
> > >
> > > The best way to integrate would be on having a hook in the procedure
> that
> > > process the user credentials submission in KeyCloak (the script that
> > > receives the POST), something such as:
> > >
> > > if(<POST IN AUTH FORM>) {
> > >
> > >  boolean loginFailed =  checkLoginInKeyCloak();
> > >
> > >  GuardianKeyEvent event =
> createEventForGuardianKey(username,loginFailed);
> > >
> > >  boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
> > >
> > >  if(GuardianKeyValidation){
> > >
> > >     // Allow access
> > >
> > >  } else {
> > >
> > >     // Deny access
> > >
> > >  }
> > >
> > > }
> > >
> > > Where is the best place to create this integration? Is there a way to
> > > create a hook for this purpose? Should we create an extension?
> > >
> > > Any help is welcome.
> > >
> > > Thank you in advance.
> > >
> > > Best regards,
> > >
> > > Paulo Angelo
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



-- 

Att,

Paulo Angelo

More information about the keycloak-dev mailing list