[keycloak-user] authentication provider and login override questions

Johan Bos johan.bos at c6.eu
Tue Dec 15 08:36:53 EST 2015 

Hi,

I can see KeyCloak allows to define authentications based on SAML protocol.
My requirements are:
a set of application/client secured by a KeyCloak server
role/group defined in Keycloak
user/pass synchro from ActiveDirectory (optional - surely some mapping 
to retrieve some information)

We need keycloak and like it: for the user management and authentication 
solution it provides to an application, in a simple way.

1) When an SSO is already in place.
As the apps we provide sometime, but not always is being integrated in a 
customer env. that already using an SSO solution, I would like to know 
if my understanding is right:
does the authentication module in keycloak where you can define an SAML 
providers will delegate the SSO/login part to an external solution that 
will handle for him the authentication?
Possible SSO is: "Ping", it says they are SAML compatible, does it means 
I only need the SSO URL and logout URL to try it?

2)  Since keycloak provides for SSO the login pages.
How do you integrate it with an application (angular/J2ee) that already 
have its own? Without removing it.

Do you keep on basic J2EE setup so any client url would be secure, then 
once authorized, the apps will continue to bring up its own login page?
Does it mean the app should have a filter to implies some auto-connect 
so client side does not try to bring the login and instead consider the 
user connected?
or does it mean using keycloak.js and follow some angular example where 
upon loading we first make everything from the JS side and make no 
change on the Java Apps?

3) I tried to override the login flow, to make my own authenticator. I 
could see multiple way to do it. My requirement is to have a 
supplementary field on the login page, because I need to authenticate 
and validate my username/pass/repo to a REST API that must be access in 
a secured way all the time, prior to give access to my clients/realm.

In order to make this, I ended up providing my own template (ftl) but 
then I could no longer use the login.username in it since the 
createResponse (normal cases) is the only one to take the formDatas and 
load in attributes the LoginBean with it. I was using my-page.ftl so 
could not use the createLogin, instead I was using createForm
So even when I set the attribute with "login" key based on the 
loginBean, login.username was triggering an error.
     forms.setAttribute("login", new LoginBean(formData));

So Whatever, I simply used "username" directly and it worked, but I 
don't know to which extend nor why. I have some missing on freemarker 
api and how you compiling it with POJO beans in a Map.

3bis) For my suppl. field, I need a dropdown box and freemarker would 
need a collection to loop over. I though I would have to pass a list of 
POJO (to create a dropbox) to the "attributes" that is being used to 
compile my template. In my template, I used "#list", but I could not get 
it to recognize my bean nor loop on it. It always consider it as not 
present.

Here a sample of my authenticator that produce the new login form:

//repositories being a java.util.List<Repository> and Repository is a 
POJO with name and description attribute (get method implemented)
//context being the AuthenticationFlowContext
I simply do:
LoginFormsProvider forms = context.form();
forms.setAttribute("repositories", repositories);
forms.setAttribute("repository", "<default_value>");

I do this before doing the forms.createForm("my-login.ftl")

Here what I added to the my-login.ftl which is the copy of login.ftl 
with a new field,

//...I remove the label for the field, which work nice...

                         <#if repository??>
                             <select id="repository" 
class="${properties.kcInputClass!}" name="repository" value="${repository}">
                         <#else>
                             <select id="repository" 
class="${properties.kcInputClass!}" name="repository" autofocus>
                         </#if>
                         <#if repositories??>
                             <#list repositories as repo>
                                 <#if repository?? && repository == 
repo.name>
                                     <option value="${repo.name}" 
selected="true">${repo.description}</option>
                                 <#else>
                                     <option 
value="${repo.name}">${repo.description}</option>
                                 </#if>
                             </#list>
                         <#else>
                             <option value="demo">demo</option>
                         </#if>
                         </select>
What Do I get wrong? I always have only the demo option.

-- 
Regards,

Johan Bos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: johan_bos.vcf
Type: text/x-vcard
Size: 335 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20151215/481c2f4a/attachment.vcf

More information about the keycloak-user mailing list