[keycloak-user] Customization of authentication mechanism and +

Stian Thorgersen stian at redhat.com
Tue Mar 17 06:25:35 EDT 2015 

Source code for all adapters is in:

https://github.com/keycloak/keycloak/tree/master/integration

----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, March 17, 2015 11:23:10 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> Thanks Stian. :) Let me first go thru the resources I have on the website.
> The java source code of the adapter also must be present somewhere for me to
> have a look I guess?
>  
> Kalinga
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Tuesday, March 17, 2015 3:14pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> If you have any more questions feel free to ask, anyone contributing code
> gets extra questions answered ;)
> 
> 
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > There is no hints regarding adapter logic, but what you'll need is:
> > 
> > * Configure adapter using keycloak.json
> > * Implement client side of OAuth2 Authorization Code Grant
> > 1. Generate a state variable and store in a cookie or session
> > 2. Redirect to
> > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > uuid>&redirect_uri=<callback uri>
> > 3. Once the user has logged-in it's redirected back to <callback uri> with
> > a code query param
> > 4. Use the code query param to obtain a token by posting to
> > /{realm}/protocols/openid-connect/token the form-data should be
> > grant_type=authorization_code&code=<code> you also need to include a http
> > basic authorization header with client id and secret
> > 
> > Once you've done that you should have a token available to the application.
> > Then you have to deal with:
> > 
> > * Refreshing token when expired
> > * Handle logout events from Keycloak
> > * Clustering issues
> > * If you want to support creating rest endpoints in PHP you also need to
> > support verifying the bearer token included in authorization header, this
> > can be done by checking the jws signature using the realm public key
> > 
> > ----- Original Message -----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > * I can get a php application in place
> > > 
> > > Kalinga
> > > 
> > > -----Original Message-----
> > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Sent: Tuesday, March 17, 2015 2:55pm
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > Thanks again.
> > > I need to go thru most documentation to get the hang of it. Will do.
> > > I would love to contribute if u can get a php application in place, is it
> > > possible for you to direct me to documentation where there are hints
> > > regarding the adapter logic?
> > > 
> > > Kalinga
> > > 
> > > 
> > > -----Original Message-----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > Sent: Tuesday, March 17, 2015 2:25pm
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > 
> > > 
> > > 
> > > ----- Original Message -----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > To: "Bill Burke" <bburke at redhat.com>
> > > > Cc: keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Thanks again for your quick feedbacks.
> > > > 
> > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > regularly.
> > > > 
> > > > I went through the document for the adapters;
> > > > 
> > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > > 
> > > > 
> > > > 
> > > > So lets say I need a php application to be deployed using keycloak as
> > > > my
> > > > SSO
> > > > manager application.
> > > > 
> > > > So my basic requirement is that user should have the ability to signin
> > > > via
> > > > keycloak. I see that there are no dedicated adapters for php (I guess
> > > > it
> > > > must be in the works)
> > > 
> > > We don't have a PHP adapter, and there's no immediate plans to create
> > > one.
> > > You could use:
> > > 
> > > * JavaScript adapter
> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > > * Proxy
> > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > > 
> > > Alternatively have a look on Google for instructions on using OAuth2
> > > and/or
> > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > other
> > > OpenID Connect client libraries with Keycloak.
> > > 
> > > If you're willing to contribute a PHP adapter then let me know and I can
> > > give
> > > you more details on what would be required and some hints to get you
> > > started.
> > > 
> > > > 
> > > > 
> > > > 
> > > > Is there a guideline that I should follow if I am to do it manually?
> > > > Basically what I should to do replicate what an adapter does (if I dont
> > > > want
> > > > to use any adapters or my apps are mobile based or deployed on
> > > > containers
> > > > hat keycloak does not have adapters for). Hope my question is clear.
> > > > 
> > > > 
> > > > 
> > > > Kalinga
> > > > 
> > > > 
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: "Bill Burke" <bburke at redhat.com>
> > > > Sent: Monday, March 16, 2015 7:46pm
> > > > To: keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Minimally you need to import username. Probably email too if you want
> > > > to use any of our email-based features. With UserFederationProvider you
> > > > can delegate to the third-party storage for other user
> > > > attributes/metadata.
> > > > 
> > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > We don't currently have a way to plugin your own authentication
> > > > > mechanism,
> > > > > but this is something we'll be adding.
> > > > > 
> > > > > You have two choices when it comes to users, you can either use our
> > > > > user
> > > > > federation provider mechanism to sync between Keycloak and your
> > > > > current
> > > > > db. Or you can migrate the users fully to the Keycloak db. In either
> > > > > case
> > > > > you have an option on overriding how passwords are verified (either
> > > > > UserFederationProvider or by extending an existing UserProvider).
> > > > > With
> > > > > the
> > > > > above authentication mechanism we'll most likely also make the
> > > > > verification of passwords pluggable which would support different
> > > > > hash
> > > > > algorithms.
> > > > > 
> > > > > ----- Original Message -----
> > > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > >> To: keycloak-user at lists.jboss.org
> > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > >> Subject: [keycloak-user] Customization of authentication mechanism
> > > > >> and
> > > > >> +
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> Guys,
> > > > >> 
> > > > >> I need to understand the capability of keycloak with my requirement
> > > > >> and
> > > > >> to
> > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > >> requirement
> > > > >> is
> > > > >> to
> > > > >> integrate keycloak to our system to support SSO hence I need to
> > > > >> migrate
> > > > >> my
> > > > >> existing users. My main concerns;
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> 1/ Customize authentication method.
> > > > >> 
> > > > >> I need to authenticate users similar to what we currently use in our
> > > > >> production system. In our system, users are identified by username,
> > > > >> password
> > > > >> and the pin.
> > > > >> 
> > > > >> For instance;
> > > > >> 
> > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > >> 
> > > > >> User should enter all three to login to the system.
> > > > >> 
> > > > >> I went through the codebase and I saw that the Authentication
> > > > >> Manager
> > > > >> (which
> > > > >> is a concrete class) does all the work inside keycloak. I managed to
> > > > >> customize the frontend with ease, however, in order to support the
> > > > >> pin
> > > > >> in
> > > > >> the backend seems like I have to customize the AuthenticationManager
> > > > >> class
> > > > >> (no direct SPIs).
> > > > >> 
> > > > >> Although there is a link here;
> > > > >> 
> > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > > >> 
> > > > >> I cant seem to find anything here which matches the current code
> > > > >> base
> > > > >> (to
> > > > >> via
> > > > >> a new authentication method via spis) and the example has been
> > > > >> removed.
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> 2/ Customize password hashes.
> > > > >> 
> > > > >> We have our own algorithm used to store password hashes. What should
> > > > >> I
> > > > >> do
> > > > >> to
> > > > >> add this to keycloak?
> > > > >> 
> > > > >> I do not know the current passwords of the users already in our
> > > > >> system,
> > > > >> so
> > > > >> when doing the migration i need keyclock to support the current
> > > > >> algorithm
> > > > >> we
> > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > >> 
> > > > >> 
> > > > >> 
> > > > >> Any other issues I might face?
> > > > >> 
> > > > >> I feel key cloak is the right choice if the above two questions are
> > > > >> answered.
> > > > >> Please let me know.
> > > > >> 
> > > > >> _______________________________________________
> > > > >> keycloak-user mailing list
> > > > >> keycloak-user at lists.jboss.org
> > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > 
> > > > --
> > > > Bill Burke
> > > > JBoss, a division of Red Hat
> > > > http://bill.burkecentral.com
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >

More information about the keycloak-user mailing list