[keycloak-dev] Integration with GuardianKey
Stian Thorgersen
sthorger at redhat.com
Tue Feb 5 01:30:05 EST 2019
Authenticator is probably the only way to do it right now. Ideally this
should be done through the event listener mechanism, but that doesn't
currently support interrupting the event.
In the future I'd like to introduce a new event SPI for user related events
that is able to interrupt events. It could be used for logins,
registrations, profile updates, etc..
On Mon, 4 Feb 2019 at 01:34, Paulo Angelo <pa at pauloangelo.com> wrote:
> Dmitry and Aléxis,
>
> Thank you very much for the directions. We are going to work on it.
>
> regards,
>
> Paulo Angelo
>
> On Sun, Feb 3, 2019 at 8:06 PM Dmitry Telegin <dt at acutus.pro> wrote:
>
> > Hello Paulo,
> >
> > To add to Alexis's reply, you can use Script authenticator [1]. It's
> > especially good for prototyping since you don't have to create and deploy
> > the whole provider module.
> >
> > Also, you'll need an HttpClient instance to be able to perform external
> > HTTP requests, see [2] for that.
> >
> > [1] https://www.keycloak.org/docs/latest/server_admin/#executions
> > [2]
> > http://lists.jboss.org/pipermail/keycloak-user/2018-November/016456.html
> >
> > Good luck,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > On Sun, 2019-02-03 at 17:46 -0200, Alexis Almeida wrote:
> > > Hi Paulo,
> > >
> > > IMO the simplest way to do this is with an Authenticator Provider.
> Please
> > > see here:
> > >
> > >
> >
> https://www.keycloak.org/docs/latest/server_development/index.html#implementing-an-authenticator
> > > .
> > >
> > > In the authenticate method you can call the GuardianKey and, depending
> on
> > > the result, you call a context.success () or context.failure ().
> > >
> > > Like this:
> > >
> > > public void authenticate(AuthenticationFlowContext context) {
> > > ...
> > > if(!GuardianKeyValidation){
> > > Response challenge = context.form()
> > > .setError("something")
> > > .createForm("error_page.ftl");
> > >
> > > context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS,
> > > challenge);
> > > return;
> > > }
> > > ...
> > > context.success();
> > > }
> > >
> > > Aléxis
> > >
> > >
> > > > Em dom, 3 de fev de 2019 às 15:38, Paulo Angelo <pa at pauloangelo.com>
> > > escreveu:
> > >
> > > > Hi all,
> > > >
> > > > We are trying to integrate KeyCloak with GuardianKey. However, we
> have
> > > > doubts related to the best way to do this and the best point in the
> > > > KeyCloak’s code for this integration.
> > > >
> > > > GuardianKey is a service to protect systems against authentication
> > attacks.
> > > > It uses Machine Learning and analyses the user's behavior, threat
> > > > intelligence and psychometrics (or behavioral biometrics). The
> > protected
> > > > system (in the concrete case, KeyCloak) must send an event via REST
> > for the
> > > > GuardianKey on each login attempt. More info at
> https://guardiankey.io
> > .
> > > >
> > > > The best way to integrate would be on having a hook in the procedure
> > that
> > > > process the user credentials submission in KeyCloak (the script that
> > > > receives the POST), something such as:
> > > >
> > > > if(<POST IN AUTH FORM>) {
> > > >
> > > > boolean loginFailed = checkLoginInKeyCloak();
> > > >
> > > > GuardianKeyEvent event =
> > createEventForGuardianKey(username,loginFailed);
> > > >
> > > > boolean GuardianKeyValidation = checkGuardianKeyViaREST(event);
> > > >
> > > > if(GuardianKeyValidation){
> > > >
> > > > // Allow access
> > > >
> > > > } else {
> > > >
> > > > // Deny access
> > > >
> > > > }
> > > >
> > > > }
> > > >
> > > > Where is the best place to create this integration? Is there a way to
> > > > create a hook for this purpose? Should we create an extension?
> > > >
> > > > Any help is welcome.
> > > >
> > > > Thank you in advance.
> > > >
> > > > Best regards,
> > > >
> > > > Paulo Angelo
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> --
>
> Att,
>
> Paulo Angelo
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list