[keycloak-user] Customization of authentication mechanism and +

Stian Thorgersen stian at redhat.com
Fri Mar 20 04:42:37 EDT 2015 


----- Original Message -----
> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 20 March, 2015 9:21:29 AM
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> Stian,
> As per your previous email I should use the endpoint
> /{realm}/protocols/openid-connect/token
> However, I am using version 1.1.0.Final of keycloak. Seems like this is the
> production ready release available, however this does not have the above
> endpoint [ /{realm}/protocols/openid-connect/token]
> Instead Version 1.1.0 Final has this end point which seems to be doing the
> same functionality;
> /realms/demo/protocol/openid-connect/access/codes

Yes, sorry for the confusion.

>  
> So I have a few  questions regarding the above;
> 1/ Is the /access/codes api endpoint same as /token endpoint. Where the
> latter is planned to released in a future version?  I compared the js
> adapters in 1.1.0 and 1.2.0.Beta. The 1.1.0 version uses /access/codes api
> endpoint while 1.2.0.Beta uses /token

It's equivalent and hasn't been removed yet, just deprecated so will still work in 1.2.0.Beta1, but will be removed in a future release.

In 1.1.0.Final we had multiple token endpoint (/access/codes, /refresh, /grants/access) these don't require grant_type param. These are now deprecated and we've introduce the single endpoint (/token) that requires grant_type. This is so comply with the OpenID Connect spec.

> 2/ Similarly  /{realm}/protocols/openid-connect/auth api end point has been
> changed. What is the mapping endpoint for this in 1.1.0 version? Are there
> are other apis signatures that are planned to be changed in the future?

Nothing planned

> 3/ If I am using keycloak for an application which I am planning to roll out
> to production soon, which version would u recommend?

1.2.0.Beta1 is out in a week or two, so I recommend using that. We'll only back-port fixes to 1.1.x if we find critical security issues.

> 4/ The above apis are for openid-connect. What are the endpoints available if
> the authorization type is saml?

I don't have this off hand, but have a look at the SAML examples and you should find that out easily. Currently we only provide adapters for OpenID Connect.

>  
> Extract from previous email <<Stian>>
> > > * Configure adapter using keycloak.json
> > > * Implement client side of OAuth2 Authorization Code Grant
> > > 1. Generate a state variable and store in a cookie or session
> > > 2. Redirect to
> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > uuid>&redirect_uri=<callback uri>
> > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > with
> > > a code query param
> > > 4. Use the code query param to obtain a token by posting to
> > > /{realm}/protocols/openid-connect/token the form-data should be
> > > grant_type=authorization_code&code=<code> you also need to include a http
> > > basic authorization header with client id and secret
>  
> Thanks.
>  
> Kalinga
> 
> 
> -----Original Message-----
> From: "Stian Thorgersen" <stian at redhat.com>
> Sent: Tuesday, March 17, 2015 3:55pm
> To: "Kalinga Dissanayake" <kalinga at leapset.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Customization of authentication mechanism and +
> 
> 
> 
> Source code for all adapters is in:
> 
> https://github.com/keycloak/keycloak/tree/master/integration
> 
> ----- Original Message -----
> > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-user at lists.jboss.org
> > Sent: Tuesday, March 17, 2015 11:23:10 AM
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > Thanks Stian. :) Let me first go thru the resources I have on the website.
> > The java source code of the adapter also must be present somewhere for me
> > to
> > have a look I guess?
> > 
> > Kalinga
> > 
> > -----Original Message-----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > Sent: Tuesday, March 17, 2015 3:14pm
> > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > Cc: keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-user] Customization of authentication mechanism and
> > +
> > 
> > 
> > 
> > If you have any more questions feel free to ask, anyone contributing code
> > gets extra questions answered ;)
> > 
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Tuesday, March 17, 2015 10:41:51 AM
> > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > and
> > > +
> > > 
> > > There is no hints regarding adapter logic, but what you'll need is:
> > > 
> > > * Configure adapter using keycloak.json
> > > * Implement client side of OAuth2 Authorization Code Grant
> > > 1. Generate a state variable and store in a cookie or session
> > > 2. Redirect to
> > > /{realm}/protocols/openid-connect/auth?client_id=<client>&response_type=code&state=<generate
> > > uuid>&redirect_uri=<callback uri>
> > > 3. Once the user has logged-in it's redirected back to <callback uri>
> > > with
> > > a code query param
> > > 4. Use the code query param to obtain a token by posting to
> > > /{realm}/protocols/openid-connect/token the form-data should be
> > > grant_type=authorization_code&code=<code> you also need to include a http
> > > basic authorization header with client id and secret
> > > 
> > > Once you've done that you should have a token available to the
> > > application.
> > > Then you have to deal with:
> > > 
> > > * Refreshing token when expired
> > > * Handle logout events from Keycloak
> > > * Clustering issues
> > > * If you want to support creating rest endpoints in PHP you also need to
> > > support verifying the bearer token included in authorization header, this
> > > can be done by checking the jws signature using the realm public key
> > > 
> > > ----- Original Message -----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Cc: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke"
> > > > <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Sent: Tuesday, March 17, 2015 10:26:18 AM
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > * I can get a php application in place
> > > > 
> > > > Kalinga
> > > > 
> > > > -----Original Message-----
> > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Sent: Tuesday, March 17, 2015 2:55pm
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > Thanks again.
> > > > I need to go thru most documentation to get the hang of it. Will do.
> > > > I would love to contribute if u can get a php application in place, is
> > > > it
> > > > possible for you to direct me to documentation where there are hints
> > > > regarding the adapter logic?
> > > > 
> > > > Kalinga
> > > > 
> > > > 
> > > > -----Original Message-----
> > > > From: "Stian Thorgersen" <stian at redhat.com>
> > > > Sent: Tuesday, March 17, 2015 2:25pm
> > > > To: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > Subject: Re: [keycloak-user] Customization of authentication mechanism
> > > > and
> > > > +
> > > > 
> > > > 
> > > > 
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > To: "Bill Burke" <bburke at redhat.com>
> > > > > Cc: keycloak-user at lists.jboss.org
> > > > > Sent: Tuesday, March 17, 2015 8:52:12 AM
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > Thanks again for your quick feedbacks.
> > > > > 
> > > > > Sorry I have a number of questions so I will be buzzing u guys
> > > > > regularly.
> > > > > 
> > > > > I went through the document for the adapters;
> > > > > 
> > > > > http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html
> > > > > 
> > > > > 
> > > > > 
> > > > > So lets say I need a php application to be deployed using keycloak as
> > > > > my
> > > > > SSO
> > > > > manager application.
> > > > > 
> > > > > So my basic requirement is that user should have the ability to
> > > > > signin
> > > > > via
> > > > > keycloak. I see that there are no dedicated adapters for php (I guess
> > > > > it
> > > > > must be in the works)
> > > > 
> > > > We don't have a PHP adapter, and there's no immediate plans to create
> > > > one.
> > > > You could use:
> > > > 
> > > > * JavaScript adapter
> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/ch08.html#javascript-adapter)
> > > > * Proxy
> > > > (http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html/proxy.html)
> > > > 
> > > > Alternatively have a look on Google for instructions on using OAuth2
> > > > and/or
> > > > OpenID Connect with PHP. Once 1.2.0.Beta1 is released we'll also have a
> > > > OpenID Connect Discovery endpoint, which should make it easier to use
> > > > other
> > > > OpenID Connect client libraries with Keycloak.
> > > > 
> > > > If you're willing to contribute a PHP adapter then let me know and I
> > > > can
> > > > give
> > > > you more details on what would be required and some hints to get you
> > > > started.
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > Is there a guideline that I should follow if I am to do it manually?
> > > > > Basically what I should to do replicate what an adapter does (if I
> > > > > dont
> > > > > want
> > > > > to use any adapters or my apps are mobile based or deployed on
> > > > > containers
> > > > > hat keycloak does not have adapters for). Hope my question is clear.
> > > > > 
> > > > > 
> > > > > 
> > > > > Kalinga
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > -----Original Message-----
> > > > > From: "Bill Burke" <bburke at redhat.com>
> > > > > Sent: Monday, March 16, 2015 7:46pm
> > > > > To: keycloak-user at lists.jboss.org
> > > > > Subject: Re: [keycloak-user] Customization of authentication
> > > > > mechanism
> > > > > and
> > > > > +
> > > > > 
> > > > > 
> > > > > 
> > > > > Minimally you need to import username. Probably email too if you want
> > > > > to use any of our email-based features. With UserFederationProvider
> > > > > you
> > > > > can delegate to the third-party storage for other user
> > > > > attributes/metadata.
> > > > > 
> > > > > On 3/16/2015 6:01 AM, Stian Thorgersen wrote:
> > > > > > We don't currently have a way to plugin your own authentication
> > > > > > mechanism,
> > > > > > but this is something we'll be adding.
> > > > > > 
> > > > > > You have two choices when it comes to users, you can either use our
> > > > > > user
> > > > > > federation provider mechanism to sync between Keycloak and your
> > > > > > current
> > > > > > db. Or you can migrate the users fully to the Keycloak db. In
> > > > > > either
> > > > > > case
> > > > > > you have an option on overriding how passwords are verified (either
> > > > > > UserFederationProvider or by extending an existing UserProvider).
> > > > > > With
> > > > > > the
> > > > > > above authentication mechanism we'll most likely also make the
> > > > > > verification of passwords pluggable which would support different
> > > > > > hash
> > > > > > algorithms.
> > > > > > 
> > > > > > ----- Original Message -----
> > > > > >> From: "Kalinga Dissanayake" <kalinga at leapset.com>
> > > > > >> To: keycloak-user at lists.jboss.org
> > > > > >> Sent: Monday, March 16, 2015 10:48:55 AM
> > > > > >> Subject: [keycloak-user] Customization of authentication mechanism
> > > > > >> and
> > > > > >> +
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> Guys,
> > > > > >> 
> > > > > >> I need to understand the capability of keycloak with my
> > > > > >> requirement
> > > > > >> and
> > > > > >> to
> > > > > >> ensure that keycloak is scalable to meet my needs. My main
> > > > > >> requirement
> > > > > >> is
> > > > > >> to
> > > > > >> integrate keycloak to our system to support SSO hence I need to
> > > > > >> migrate
> > > > > >> my
> > > > > >> existing users. My main concerns;
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> 1/ Customize authentication method.
> > > > > >> 
> > > > > >> I need to authenticate users similar to what we currently use in
> > > > > >> our
> > > > > >> production system. In our system, users are identified by
> > > > > >> username,
> > > > > >> password
> > > > > >> and the pin.
> > > > > >> 
> > > > > >> For instance;
> > > > > >> 
> > > > > >> User -> jack, password -> pwd, pin -> 50000
> > > > > >> 
> > > > > >> User should enter all three to login to the system.
> > > > > >> 
> > > > > >> I went through the codebase and I saw that the Authentication
> > > > > >> Manager
> > > > > >> (which
> > > > > >> is a concrete class) does all the work inside keycloak. I managed
> > > > > >> to
> > > > > >> customize the frontend with ease, however, in order to support the
> > > > > >> pin
> > > > > >> in
> > > > > >> the backend seems like I have to customize the
> > > > > >> AuthenticationManager
> > > > > >> class
> > > > > >> (no direct SPIs).
> > > > > >> 
> > > > > >> Although there is a link here;
> > > > > >> 
> > > > > >> http://docs.jboss.org/keycloak/docs/1.0-beta-3/userguide/html/authentication-spi.html
> > > > > >> 
> > > > > >> I cant seem to find anything here which matches the current code
> > > > > >> base
> > > > > >> (to
> > > > > >> via
> > > > > >> a new authentication method via spis) and the example has been
> > > > > >> removed.
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> 2/ Customize password hashes.
> > > > > >> 
> > > > > >> We have our own algorithm used to store password hashes. What
> > > > > >> should
> > > > > >> I
> > > > > >> do
> > > > > >> to
> > > > > >> add this to keycloak?
> > > > > >> 
> > > > > >> I do not know the current passwords of the users already in our
> > > > > >> system,
> > > > > >> so
> > > > > >> when doing the migration i need keyclock to support the current
> > > > > >> algorithm
> > > > > >> we
> > > > > >> use. Can we plugin new hashing algorithms to meet my needs?
> > > > > >> 
> > > > > >> 
> > > > > >> 
> > > > > >> Any other issues I might face?
> > > > > >> 
> > > > > >> I feel key cloak is the right choice if the above two questions
> > > > > >> are
> > > > > >> answered.
> > > > > >> Please let me know.
> > > > > >> 
> > > > > >> _______________________________________________
> > > > > >> keycloak-user mailing list
> > > > > >> keycloak-user at lists.jboss.org
> > > > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > 
> > > > > --
> > > > > Bill Burke
> > > > > JBoss, a division of Red Hat
> > > > > http://bill.burkecentral.com
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > 
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >

More information about the keycloak-user mailing list