[keycloak-user] Customization of authentication mechanism and +

Kalinga Dissanayake kalinga at leapset.com
Tue Mar 17 05:25:26 EDT 2015 

Thanks again.
I need to go thru most documentation to get the hang of it. Will do.
I would love to contribute if u can get a php application in place, is it possible for you to direct me to documentation where there are hints regarding the adapter logic?
 
Kalinga


-----Original Message-----
From: "Stian Thorgersen" <stian at redhat.com>
Sent: Tuesday, March 17, 2015 2:25pm
To: "Kalinga Dissanayake" <kalinga at leapset.com>
Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Customization of authentication mechanism and +




----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 8:52:12 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Thanks again for your quick feedbacks.
> 
> Sorry I have a number of questions so I will be buzzing u guys regularly.
> 
> I went through the document for the adapters;
> 
> http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> 
> 
> 
> So lets say I need a php application to be deployed using keycloak as my SSO
> manager application.
> 
> So my basic requirement is that user should have the ability to signin via
> keycloak. I see that there are no dedicated adapters for php (I guess it
> must be in the works)

We don't have a PHP adapter, and there's no immediate plans to create one. You could use:

* JavaScript adapter (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
* Proxy (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)

Alternatively have a look on Google for instructions on using OAuth2 and/or OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a OpenID Connect Discovery endpoint, which should make it easier to use other OpenID Connect client libraries with Keycloak.

If you're willing to contribute a PHP adapter then let me know and I can give you more details on what would be required and some hints to get you started.

> 
> 
> 
> Is there a guideline that I should follow if I am to do it manually?
> Basically what I should to do replicate what an adapter does (if I dont want
> to use any adapters or my apps are mobile based or deployed on containers
> hat keycloak does not have adapters for). Hope my question is clear.
> 
> 
> 
> Kalinga
> 
> 
> 
> 
> -----Original Message-----
> From: "Bill Burke" <bburke at redhat.com>
> Sent: Monday, March 16, 2015 7:46pm
> To: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Minimally you need to import username. Probably email too if you want
> to use any of our email-based features. With UserFederationProvider you
> can delegate to the third-party storage for other user attributes/metadata.
> 
> On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > We don't currently have a way to plugin your own authentication mechanism,
> > but this is something we'll be adding.
> > 
> > You have two choices when it comes to users, you can either use our user
> > federation provider mechanism to sync between Keycloak and your current
> > db. Or you can migrate the users fully to the Keycloak db. In either case
> > you have an option on overriding how passwords are verified (either
> > UserFederationProvider or by extending an existing UserProvider). With the
> > above authentication mechanism we'll most likely also make the
> > verification of passwords pluggable which would support different hash
> > algorithms.
> > 
> > ----- Original Message -----
> >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> >> To: keycloak-user at lists.jboss.org
> >> Sent: Monday, March 16, 2015 10:48:55 AM
> >> Subject: [keycloak-user] Customization of authentication mechanism and +
> >> 
> >> 
> >> 
> >> Guys,
> >> 
> >> I need to understand the capability of keycloak with my requirement and to
> >> ensure that keycloak is scalable to meet my needs. My main requirement is
> >> to
> >> integrate keycloak to our system to support SSO hence I need to migrate my
> >> existing users. My main concerns;
> >> 
> >> 
> >> 
> >> 1/ Customize authentication method.
> >> 
> >> I need to authenticate users similar to what we currently use in our
> >> production system. In our system, users are identified by username,
> >> password
> >> and the pin.
> >> 
> >> For instance;
> >> 
> >> User -> jack, password -> pwd, pin -> 50000
> >> 
> >> User should enter all three to login to the system.
> >> 
> >> I went through the codebase and I saw that the Authentication Manager
> >> (which
> >> is a concrete class) does all the work inside keycloak. I managed to
> >> customize the frontend with ease, however, in order to support the pin in
> >> the backend seems like I have to customize the AuthenticationManager class
> >> (no direct SPIs).
> >> 
> >> Although there is a link here;
> >> 
> >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> >> 
> >> I cant seem to find anything here which matches the current code base (to
> >> via
> >> a new authentication method via spis) and the example has been removed.
> >> 
> >> 
> >> 
> >> 2/ Customize password hashes.
> >> 
> >> We have our own algorithm used to store password hashes. What should I do
> >> to
> >> add this to keycloak?
> >> 
> >> I do not know the current passwords of the users already in our system, so
> >> when doing the migration i need keyclock to support the current algorithm
> >> we
> >> use. Can we plugin new hashing algorithms to meet my needs?
> >> 
> >> 
> >> 
> >> Any other issues I might face?
> >> 
> >> I feel key cloak is the right choice if the above two questions are
> >> answered.
> >> Please let me know.
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150317/250dce32/attachment-0001.html

More information about the keycloak-user mailing list