[keycloak-user] Creation UI for new authentication schema configuration.
Michael Furman
michael_furman at hotmail.com
Sun Nov 6 11:14:22 EST 2016
Hi Bill,
Please note that RADIUS can provide the authentication service only and can not provide the user details (first name, last name, email).
Please remind that I want to configure the authentication flow as the following:
Cookie - ALTERNATIVE
Radius - ALTERNATIVE
Forms Subflow - ALTERNATIVE
Regarding your question I can see the following use cases.
1) User does not exists in the Keycloak's DB but exists in the RADIUS server. In this case the authentication against the RADIUS server will success and the user will be authenticated.
The user information will contain only the user name.
2) User exists in the Keycloak's DB and exists in the RADIUS server. In this case the authentication against the RADIUS server will success and the user will populate the user information from the Keycloak's DB.
The user information will contain the user name, first name, last name, email and other information
3) User exists in the Keycloak's DB but does not exist in the RADIUS server. In this case the authentication against the Keycloak's DB will success and the user will populate the user information from the Keycloak's DB.
The user information will contain the user name, first name, last name, email and other information.
4) User does not exist in the Keycloak's DB and does not exist in the RADIUS server. In this case the authentication will fail.
Is it possible to support it?
________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Bill Burke <bburke at redhat.com>
Sent: Sunday, November 6, 2016 5:33 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
Where is the user going to live? In Keycloak's DB? Or does Radius
store and provide info about the user?
On 11/6/16 8:38 AM, Michael Furman wrote:
> I still need a help.
> The example for the secret question is good but I need other example.
> I am in the middle of POC that will help us to understand if we can use Keycloak in our production.
> It contains a lot of aspects (creating of other authenticators, creating of our own UI over Keycloak etc.).
>
> In this thread I just want to create the authenticator that will take a user name and a user password and will authenticate against a Radius server.
> If it will fails, the default UsernamePasswordForm authenticator should handle the authentication.
>
> I will really appreciate if somebody will help me with the following questions.
>
>
> 1. Do you have the example that shows how to create simple user name and password authenticator?
> 2. How can I configure the authentication provider via REST API?
> Will be generated configuration Rest API automatically?
>
> 3. I have created the simple authenticator that overrides UsernamePasswordForm.
> It appears in UI.
> Unfortunately the request does not come to my implementation.
> What I have missed?
> I have opened bug and attached sources: https://issues.jboss.org/browse/KEYCLOAK-3867
>
> Best regards,
> Michael
>
>
>
>
> ________________________________
> From: Thomas Darimont <thomas.darimont at googlemail.com>
> Sent: Sunday, November 6, 2016 11:42 AM
> To: Michael Furman
> Cc: Stian Thorgersen; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Hello Michael,
>
> if you want to create a custom browser flow by copying the original browser flow you need to bind your custom browser flow
> on the "Authentication -> Bindings" tab where you link your custom browser flow to be used as "the" browser flow.
>
> Cheers,
> Thomas
>
> 2016-11-06 10:33 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
> Hi Stian,
> I was able to add the authentication provider in 2.3.0 but only to the copied flow.
>
> 1. Why I can not add the execution to the Browser flow?
> If I copy the browser flow (and call it Browser2 flow) what flow will be default for the browser authentication?
> How can I configure the new Browser2 flow will be default for the browser authentications?
> 2. Will be generated Rest API for the configuration of the authentication provider?
> How can I configure via REST API.
>
>
> Best regards,
> Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> Sent: Friday, November 4, 2016 7:52 AM
> To: Stian Thorgersen
> Cc: Michael Furman; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken
>
> On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>> wrote:
> I don't know what you mean by it is not recognized by Keycloak. Did you follow the steps in the example to register it? See https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>
keycloak/keycloak<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services
>
> On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
>
> Hi,
>
> Unfortunately I can not deploy the example authentication provider to Keycloak
>
>
> Who can help?
>
>
> I have compiled authenticator-required-action-example from the examples.
> I copied the provider jar into the “standalone/configuration/providers” directory according to the document:
> https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html
>
> Unfortunately Keycloak does not recognize the provider.
> Than I have copied it to the “providers” folder under the root Keycloak folder.
> Also without success .
>
>
> I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856
>
>
> Best regards,
>
> Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Tuesday, November 1, 2016 11:08 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> On the config for the authenticator. Please look at the docs and also the example it explains this pretty well.
>
> On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks,
> Where I will see the generated UI?
> On the authentication page?
> http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser
> Also, can I add / update the authenticator configuration via REST API?
> http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
> Thank you in advance for your help.
> Best regards,
> Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Monday, October 31, 2016 8:00 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Configuration UI is generated based on what's returned by the getConfigProperties method
>
> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks Stian,
> I will happy for the additional clarifications.
> I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot.
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...
> I think that the following is relevant:
>
> The next few methods define how the Authenticator can be configured.
> …
> The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute.
>
> But according to my understanding the configuration should appear in the Authenticator configuration UI.
> Therefore, how should I create the UI?
>
> Additional question: will the new Authenticator appear in Authentication Flows:
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html
Authentication Flows | Server Administration Guide<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html>
keycloak.gitbooks.io
An authentication flow is a container for all authentications, screens, and actions that must happen during login, registration, and other Keycloak workflows.
> Will I be able to configure Required / Optional / Disabled for the new the new Authenticator?
> Thank you in advance for your help.
> Best regards,
> Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Thursday, October 27, 2016 9:57 AM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that.
>
> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Hi all,
> I want to add support for the new authentication schema.
> How can I add UI for new authentication schema configuration?
> For example, I want to add the TACACS authentication schema.
> Therefore I need to configure the TACACS server IP and the secret.
> May be I have missed but I can not find it here:
> https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...
>
> Thank you in advance for your help.
> Best regards,
> Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
More information about the keycloak-user
mailing list