[keycloak-user] Keycloak integration with REST service
Marek Posolda
mposolda at redhat.com
Wed Jun 1 03:41:56 EDT 2016
On 01/06/16 03:20, Jim Dillon wrote:
> It looks like a custom User Federation Provider in needs to be created
> in order to access a REST Service for user information and an
> Authentication Provider to authenticate against a REST Service.
>
> I've looked at the example User Federation Provider that uses a static
> file and the Authentication Provider examples which enforce secret
> question / answer flow. I have a better understanding of what needs to
> be accomplished, but I'm still quite a ways from where I need to be.
>
> Can anyone point me in the direction of an example User Federation
> Provider and / or an Authentication Provider that uses a REST
> Service? (Google hasn't found any examples for me.)
>
> Is there more documentation to be found on these subjects other than
> the inline code comments, User Manual, and github based docs?
>
> Could I possibly be making it more difficult than it is, do I simply
> need to substitute http requests for file i/o in the User Federation
> Provider example?
I think yes, that's what you can to do. And I think that you don't need
to implement any Authentication Provider, really just an User Federation
Provider.
The Authentication Provider is used if you need to somehow change the
authentication flow (for example add some new form with new login
mechanism), however here you don't need it. Here the flow is like this:
1. User lands on Keycloak login page and initiates login. This is done
with the standard Keycloak login form for username/password. So you
don't need any custom Authentication provider.
2. User does not exist in Keycloak
3. Keycloak asks User storage (UserFederationManager), which will try
to lookup user in it's database and if it doesn't exists in
database, then will lookup via your UserFederationProvider. So it
will call method YourUserFederationProvider.getUserByUsername . In
this method, you are supposed to implement calling your REST API and
lookup user and then create user into Keycloak DB
4. User is authenticated - Keycloak will call
YourUserFederationProvider.validCredentials where you are supposed
to implement validation of username/password against your REST service
5. You can implement the proxy object for your user where you can
control which info exactly is retrieved from/to Keycloak DB and
which is retrieved from/to your REST service.
Note that registering user back to REST service is done via
YourUserFederationProvider.register . So always when new user is created
in Keycloak, it will call this method of your FederationProvider and you
are supposed to "register" user in your REST service too. Via the User
proxy object, you can control when your REST service needs to be updated
(for example if you implement user.setEmail in your proxy and call the
REST service here, then Keycloak will call this method and hence your
REST service always when email of some user is changed.
And btv. you can try to contact the guys from RH jboss.org team, which
did some UserFederationProvider calling REST. It's possible that your
implementation will be similar. You can try velias at redhat.com and/or
lkrzyzan at redhat.com .
Marek
>
>
> The Flow (as I understand it, please confirm / correct as needed):
>
> 1. User lands on Keycloak login page and initiates login
> 2. User does not exist in Keycloak
> 3. REST API is asked to authenticate via Authentication Provider SPI
> 4. User is authenticated
> 5. REST API is asked for user information to create user in Keycloak
> (part of this process would need to decrypt the existing password
> and then encrypt it using Keycloak's "default" method.)
> 6. User is created in Keycloak and any further authentication /
> authorization logic will remain "in house"
>
> Thank you for your time,
>
> jim
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160601/4a69fdde/attachment.html
More information about the keycloak-user
mailing list