[keycloak-user] Custom Social Login, cache access_token, Enterprise Wechat

kkzxak47 kkzxak47 at gmail.com
Fri Aug 2 02:50:32 EDT 2019


Fine, I think I found the way to hack two sessions on the same login page.

If you click the button "WechatWork" using javascript, your left side
username/password form will no longer work, because they share the same
session and the social login button will change your status. So I grabbed
the current uri `window.location.href`, change the `state` query parameter,
and invoke the social login button in a iFrame. Then left side
username/password form and right side social login will not share the same
session, they will both be valid.

BTW I have documented my experience on my blog
https://www.kkzxak47.com/2019/07/30/%e4%bd%bf%e7%94%a8%e4%bc%81%e4%b8%9a%e5%be%ae%e4%bf%a1%e7%99%bb%e5%bd%95keycloak/.
(Well it's in Chinese, you may need google translate :)
I think I have finally achieved what I needed. I believe what I did here is
"Rubber Duck Debugging". Talking to a phantom audience and you get help
from yourself 😂.
Let me know If you need help in similar cases.

Victor.

kkzxak47 <kkzxak47 at gmail.com> 于2019年8月2日周五 上午11:45写道:

> Alright then. I think I will follow this thread myself to provide relevant
> information for people who want to implement similar provider plugins in
> the future.
>
> So I have managed to implement a customized social login identity provider
> alongside Twitter / Google and others. It's working just fine. You visit
> one of the company apps, it will redirect you to keycloak. There you use
> wechat work Idp to login into keycloak. Then keycloak would redirect you
> back to the app. You have logged in. Perfect.
>
> Now there is another question, instead of a link to click and show qr code
> for login, is it possible to integrate that qrcode directly in the login
> page of keycloak? I tried to use javascript to open a new page (I want both
> username/password and qrcode available on the same page) and "click" the
> "zocial-wechat-work" link and open that qrcode web page in a iFrame, but
> instead of redirecting me back to the app I am visiting (which the original
> link would do), it will put me in keycloak user panel after login.
>
> I think my hack is going into a dead end, is it a better way to achieve
> this? I.E. making "username/password" and a "3rd party qr code login"
> available on the same login page.
>
> kkzxak47 <kkzxak47 at gmail.com> 于2019年7月26日周五 下午10:17写道:
>
>> I managed to get infinispan running in customized identity provider, but
>> apart from predefined caches, I am not able to add new cache:
>> the error reads:
>> ```
>> 21:59:01,683 ERROR [org.jboss.as.controller.management-operation]
>> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
>> ([("deployment" => "keycloak-server.war")]
>> ) - failure description: {
>>     "WFLYCTL0412: Required services that are not installed:" =>
>> ["org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso"],
>>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>>         "jboss.naming.context.java.module.auth.auth.ModuleName is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.naming.context.java.app.auth is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.naming.context.java.module.auth.auth.Validator is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>
>> "jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor
>> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.concurrent.ee.context.config.auth.auth is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.deployment.discovery.\"keycloak-server.war\" is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.naming.context.java.module.auth.auth.InAppClientContainer
>> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.naming.context.java.app.auth.AppName is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.naming.context.java.module.auth.auth.InstanceName is
>> missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.naming.context.java.module.auth.auth is missing
>> [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>         "jboss.naming.context.java.module.auth.auth.ValidatorFactory is
>> missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]",
>>
>> "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service
>> is missing [org.wildfly.clustering.infinispan.cache.keycloak.xsyxsso]"
>>     ]
>> }
>> ```
>>
>> How can I set up a new cache in infinispan? What is the proper steps to
>> create it?
>>
>> kkzxak47 <kkzxak47 at gmail.com> 于2019年7月25日周四 上午10:56写道:
>>
>>> Hi,
>>>   I'm building a SSO service for my company (~1000 employee).
>>>   After investigation I decided to adopt Keycloak as the core component.
>>>   We are using Wechat Work as IM tool (https://work.weixin.qq.com/),
>>> employee DB is based on its Contacts. So it's natural to integrate it as a
>>> social login into Keycloak SSO service.
>>>   In the process of implementing the 'WechatIdentityProvider' and
>>> 'WechatIdentityProviderFactory' classes I encountered some trouble.
>>>   Just like Twitter / Google and other providers, some of Wechat Work's
>>> OAuth2 flow is not aligned with standards. For example, the processing of
>>> retrieving the access_token is relatively independent of other OAuth2 code
>>> flow, the access_token is valid for 7200 seconds, its API is limited to be
>>> called 2000 times per day for a single client. We are forced to cache a
>>> global access_token for each client. I noticed that Keycloak is heavily
>>> using Infinispan. My question is can I use it for caching access_token too?
>>> Is it safe to do so? What is your recommendation?
>>>   And I'm working based on version 6.0.1 in standalone mode, is it
>>> appropriate?
>>>
>>>   My main programming language is not Java by the way. I learned it ~10
>>> years ago and Spring is new to me. So I'm still learning. It's of great
>>> help to give relevant document links or code snippets, thanks!
>>>
>>>
>>> Victor
>>>
>>


More information about the keycloak-user mailing list