[keycloak-user] Custom authentication
Vagelis Savvas
vagelis.savvas at gmail.com
Wed Nov 14 02:50:41 EST 2018
Thanx alot Dmitry!
Your explanation sounds pretty straightforward , I'll go about
implementing it soon and keep you up to date with feedback.
Cheers,
Vagelis
On 14/11/2018 05:02, Dmitry Telegin wrote:
> Hello Vagelis,
>
> Here's the outline of the solution as I see it:
> - you'll need a custom authenticator, this could be either Script authenticator or Java-based one (Authentication SPI [1]);
> - you'll need to modify or supply your own login page. The easiest way is to use Theme Resource JAR [2];
> - next, you need to decide how would you store role secrets. I'd recommend to use the same mechanism Keycloak uses to store passwords and private keys, namely Credentials (see org.keycloak.credential.*);
> - then, you should establish 1-to-1 association between roles and secrets. You can use CredentialAttributeEntity (CREDENTIAL_ATTRIBUTE table) for that;
> - or maybe better introduce your own entity [3] for that association, because CREDENTIAL_ATTRIBUTE.VALUE doesn't have index, therefore queries will be slow;
> - finally, you need a mechanism to manage your role secrets. If you want to use Admin console GUI for that, you'll need to implement a REST endpoint [3] and your custom GUI theme [4].
>
> So probably you'll end up with 2-3 providers and a theme, packaged in a single JAR. As always, I'd recommend my BeerCloak project [6] as a reference, since it contains many of the above.
>
> Feel free to ask questions, and good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> [1] https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
> [2] https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource
> [3] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
> [4] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest
> [5] https://www.keycloak.org/docs/latest/server_development/index.html#_themes
> [6] https://github.com/dteleguin/beercloak
>
> On Tue, 2018-11-13 at 19:07 +0200, Vagelis Savvas wrote:
>> Hello,
>> I'd like some advice on how to go about implementing the following
>> custom authentication scenario:
>> - A user besides the standard username and password optionally
>> provides one more secret in the login screen.
>> - The secret is associated with a realm role (one to one) by the realm
>> admin, and if matched the user is dynamically added to the corresponding
>> role.
>> - If the secret isn't provided the user is normally authenticated and
>> gets whatever roles he is assigned, like the default behavior
>>
>> Of course I would like to avoid implementing an SPI for that :-) but if
>> it is not possible to avoid it I'd appreciate any insights and advice.
>> I admit I haven't carefully read the relevant SPI extension docs yet,
>> hoping that there is some way of doing it without an SPI extension.
>>
>> Cheers,
>>
>> Vagelis
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list