[keycloak-user] Customization of authentication mechanism and +

Stian Thorgersen stian at redhat.com
Tue Mar 17 05:44:22 EDT 2015


If you have any more questions feel free to ask, anyone contributing code gets extra questions answered ;)


----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 10:41:51 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> There is no hints regarding adapter logic, but what you'll need is:
> 
> * Configure adapter using keycloak.json
> * Implement client side of OAuth2 Authorization Code Grant
>   1. Generate a state variable and store in a cookie or session
>   2. Redirect to
>   /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
>   uuid>&redirect_uri=<callback uri>
>   3. Once the user has logged-in it's redirected back to <callback uri> with
>   a code query param
>   4. Use the code query param to obtain a token by posting to
>   /{realm}/protocols/openid-connect/token the form-data should be
>   grant_type=authorization_code&code=<code> you also need to include a http
>   basic authorization header with client id and secret
> 
> Once you've done that you should have a token available to the application.
> Then you have to deal with:
> 
> * Refreshing token when expired
> * Handle logout events from Keycloak
> * Clustering issues
> * If you want to support creating rest endpoints in PHP you also need to
> support verifying the bearer token included in authorization header, this
> can be done by checking the jws signature using the realm public key
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > * I can get a php application in place
> >  
> > Kalinga
> > 
> > -----Original Message-----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Sent: Tuesday, March 17, 2015 2:55pm
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > Thanks again.
> > I need to go thru most documentation to get the hang of it. Will do.
> > I would love to contribute if u can get a php application in place, is it
> > possible for you to direct me to documentation where there are hints
> > regarding the adapter logic?
> >  
> > Kalinga
> > 
> > 
> > -----Original Message-----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Tuesday, March 17, 2015 2:25pm
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > To: "Bill Burke" <bburke at redhat.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Thanks again for your quick feedbacks.
> > > 
> > > Sorry I have a number of questions so I will be buzzing u guys regularly.
> > > 
> > > I went through the document for the adapters;
> > > 
> > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > 
> > > 
> > > 
> > > So lets say I need a php application to be deployed using keycloak as my
> > > SSO
> > > manager application.
> > > 
> > > So my basic requirement is that user should have the ability to signin
> > > via
> > > keycloak. I see that there are no dedicated adapters for php (I guess it
> > > must be in the works)
> > 
> > We don't have a PHP adapter, and there's no immediate plans to create one.
> > You could use:
> > 
> > * JavaScript adapter
> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > * Proxy
> > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > 
> > Alternatively have a look on Google for instructions on using OAuth2 and/or
> > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > OpenID Connect Discovery endpoint, which should make it easier to use other
> > OpenID Connect client libraries with Keycloak.
> > 
> > If you're willing to contribute a PHP adapter then let me know and I can
> > give
> > you more details on what would be required and some hints to get you
> > started.
> > 
> > > 
> > > 
> > > 
> > > Is there a guideline that I should follow if I am to do it manually?
> > > Basically what I should to do replicate what an adapter does (if I dont
> > > want
> > > to use any adapters or my apps are mobile based or deployed on containers
> > > hat keycloak does not have adapters for). Hope my question is clear.
> > > 
> > > 
> > > 
> > > Kalinga
> > > 
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > Sent: Monday, March 16, 2015 7:46pm
> > > To: keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Minimally you need to import username. Probably email too if you want
> > > to use any of our email-based features. With UserFederationProvider you
> > > can delegate to the third-party storage for other user
> > > attributes/metadata.
> > > 
> > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > We don't currently have a way to plugin your own authentication
> > > > mechanism,
> > > > but this is something we'll be adding.
> > > > 
> > > > You have two choices when it comes to users, you can either use our
> > > > user
> > > > federation provider mechanism to sync between Keycloak and your current
> > > > db. Or you can migrate the users fully to the Keycloak db. In either
> > > > case
> > > > you have an option on overriding how passwords are verified (either
> > > > UserFederationProvider or by extending an existing UserProvider). With
> > > > the
> > > > above authentication mechanism we'll most likely also make the
> > > > verification of passwords pluggable which would support different hash
> > > > algorithms.
> > > > 
> > > > ----- Original Message -----
> > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > >> To: keycloak-user at lists.jboss.org
> > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > >> Subject: [keycloak-user] Customization of authentication mechanism and
> > > >> +
> > > >> 
> > > >> 
> > > >> 
> > > >> Guys,
> > > >> 
> > > >> I need to understand the capability of keycloak with my requirement
> > > >> and
> > > >> to
> > > >> ensure that keycloak is scalable to meet my needs. My main requirement
> > > >> is
> > > >> to
> > > >> integrate keycloak to our system to support SSO hence I need to
> > > >> migrate
> > > >> my
> > > >> existing users. My main concerns;
> > > >> 
> > > >> 
> > > >> 
> > > >> 1/ Customize authentication method.
> > > >> 
> > > >> I need to authenticate users similar to what we currently use in our
> > > >> production system. In our system, users are identified by username,
> > > >> password
> > > >> and the pin.
> > > >> 
> > > >> For instance;
> > > >> 
> > > >> User -> jack, password -> pwd, pin -> 50000
> > > >> 
> > > >> User should enter all three to login to the system.
> > > >> 
> > > >> I went through the codebase and I saw that the Authentication Manager
> > > >> (which
> > > >> is a concrete class) does all the work inside keycloak. I managed to
> > > >> customize the frontend with ease, however, in order to support the pin
> > > >> in
> > > >> the backend seems like I have to customize the AuthenticationManager
> > > >> class
> > > >> (no direct SPIs).
> > > >> 
> > > >> Although there is a link here;
> > > >> 
> > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > >> 
> > > >> I cant seem to find anything here which matches the current code base
> > > >> (to
> > > >> via
> > > >> a new authentication method via spis) and the example has been
> > > >> removed.
> > > >> 
> > > >> 
> > > >> 
> > > >> 2/ Customize password hashes.
> > > >> 
> > > >> We have our own algorithm used to store password hashes. What should I
> > > >> do
> > > >> to
> > > >> add this to keycloak?
> > > >> 
> > > >> I do not know the current passwords of the users already in our
> > > >> system,
> > > >> so
> > > >> when doing the migration i need keyclock to support the current
> > > >> algorithm
> > > >> we
> > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > >> 
> > > >> 
> > > >> 
> > > >> Any other issues I might face?
> > > >> 
> > > >> I feel key cloak is the right choice if the above two questions are
> > > >> answered.
> > > >> Please let me know.
> > > >> 
> > > >> _______________________________________________
> > > >> keycloak-user mailing list
> > > >> keycloak-user at lists.jboss.org
> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > 
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


More information about the keycloak-user mailing list