I want to use keycloak as a broker server for Identity and Access Management and I don't want to use login screen provided in keycloak as I have different clients like Android, IOS and web application using the same backend server.
I wan't to know if it is possible to create user, accept terms and conditions, send two factor authentication using SMS, have custom fields in login like adding adress using a POSTMAN/ RESTFul API. I know keycloak have provided API guide but they have not included anything about accepting terms and conditions, adding SMS based validations.
Following would be an opinion based question but, if these features are not available in keycloak, what are the other identify broakers I can use and it should be open source with capability to use my own database.
Edit:
I have checked auth0.com, okta/ stormpath but they are not open source and for custom database like in auth0 its requires enterprise edition.
Related
I have an Admin Dashboard React Bootstrap Template and I want to create the backend for it.
I have built a separated REST API on a separate port using Spring that queries a Postgres DB. The frontend just fetches the API.
The problem is that I want to have different user roles: different Navbar items, different page content, etc. based on permissions/role.
I've tried using spring-security and it works when accessing API, but I don't know how to connect it to the front.
How can I implement RBAC for a separate React Front, Spring API Back web app?
Spring Security doesn't have any direct support for front-ends, though Spring does have a few blog posts that describe how a JavaScript front-end can coordinate with a Spring Security-protected back-end.
The key insight is a /user endpoint for transmitting the user's details to the front-end.
TL;DR
Objective: Java authorization server:
OAuth2.0 authorization code grant flow with fine-grained permissions (not a mere SSO server)
User management and authentication: custom database
Client management and authentication: Keycloak
Questions: What are the best practices for implementing a Java authorization server with applicative permissions handling backed on Keycloak?
What Keycloak adapter/API should I use in my development?
How should the users be managed/appear in Keycloak if they are to appear at all?
Forewarning
I am quite the beginner with Keycloak and, though I think I understand the main principles, it seems to be a rich tool and I fear I may still be mistaken about some aspects of the best ways to use it. Please do not hesitate to correct me.
Context
We are looking at implementing an API requiring our users (henceforth "users") to grant permissions to third party applications (henceforth "clients").
Our users are stored in a custom existing database-based user management system. As for our clients, we are thinking of using Keycloak.
The users consent will be given using an OAuth2.0 Authorization code grant flow. They will log in, specify which permissions they grant and which they deny, and the client then retrieves the access token it will use to access the API.
It is my understanding that Keycloak can handle the authorization token but it should not know anything applicative, which our permissions are. As a consequence, I thought of building a custom authorization server which will use Keycloak for all identity/authentication problems but will handle the applicative permissions by itself.
Then, we will use Keycloak for client authentication and authorization code/access token management, and an applicative part will check the permissions.
Problem
Besides my first experimenting, I've been roaming the Internet for a week now and I'm surprised as I thought this would be quite a standard case. Yet I found next-to-nothing, so maybe I'm not searching correctly.
I've found many Spring/Spring Boot tutorials1 on how to make a "simple authorization server". Those are mainly SSO servers though, and few do manage permissions, with the exception of those mentioned in this SO answer2. That I think we can deal with.
The real problem I have, and that none of the tutorials I have found are treating, is the following:
How do I integrate Keycloak in this authorization server?
I've been having a look at the available Java Adapters. They look OK when it comes to authenticate but I did not see hints about how to manage clients from a custom authorization server (ie administer the realm).
I therefore suppose I should use the admin API. Am I correct and is it good practice? I saw no adapter for that, so I suppose I should then use the REST API.
I also wonder how we should integrate our users in design? Should they be duplicated inside Keycloak? In this case, should we use Keycloak's admin API to push the data from the authorization server or is there a better way?
Finally, am I missing some other obvious point?
Sorry for the long message and the many questions, but it all boils down to one question in the end:
What are the best practices when building an authorization server using Keycloak as a backbone?
1. Some examples:
Spring Boot OAuth2 tutorial -
A blog post -
Another blog post
2. I've mainly focused on the sample app provided by Spring Security OAuth
Building Java OAuth2.0 authorization server with Keycloak
This is possible but is bit tricky and there is lot of thing which needs to be customised.
You can derive some motivation from below repo.
keycloak-delegate-authn-consent
Building custom Java OAuth2.0 authorization server with MITREid
If you are open to use other implementations of Oauth and OIDC,I can suggest you MITREid which is referrence implementation of OIDC and could be customized to a great deal.Below is the link to its repo and its open source.
I myself used this to requirement similar to yours and it is highly customizable and easy to implement.
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
MITREid Connect uses Spring Security for its authentication, so you can put whatever component you like into that space. There are lots of good resources on the web about how to write and configure Spring Security filters for custom authentication mechanisms.
You'll want to look at the user-context.xml file for where the user authentication is defined. In the core project this is a simple username/password field against a local database. In others like the LDAP overlay project, this connects to an LDAP server. In some systems, like MIT's "oidc.mit.edu" server, there are actually a handful of different authentication mechanisms that can be used in parallel: LDAP, kerberos, and certificates in that case.
Note that in all cases, you'll still need to have access to a UserInfo data store somewhere. This can be sourced from the database, from LDAP, or from something else, but it needs to be available for each logged in user.
The MITREid Connect server can function as an OpenID Connect Identity Provider (IdP) and an OAuth 2.0 Authorization Server (AS) simultaneously. The server is a Spring application and its configuration files are found in openid-connect-server-webapp/src/main/webapp/WEB-INF/ and end in .xml. The configuration has been split into multiple .xml files to facilitate overrides and custom configuration.
Let's say I have a simple application.
How to set up OAuth2 to allow another application to access to some parts of my application.
For example, when devs want to use the Facebook API, they use the Facebook API User interface that generate Client id, client secret etc.
So, this is what i want my website do. provide client credentials when they request them.Not necessary by building an UI but programmatically (JAVA).
In other words, what is the stack behind the facebook API OAuth UI ? Is there a simple framework to set it up quickly and easily ?
thank you
There are lots of frameworks for setting up OAuth in a Java application. I would recommend having a look at Spring Boot, for example.
I am building two separate project , Rest services using spring 4.0 and a dynamic website using ZK and Spring .
I want to secure both Rest Services and the Website so user need to be authorized before browsing the website or requesting the Rest Services .
I am wondering if we can have one place for authorization , is this possible and how to share the identity of user between both sites ?
I am thinking of Shiro ?
Any Ideas
BR
Shahbour
Check out Spring Security, it integrates really easily with Spring (as the name would suggest). As far as how to keep user signed in across both apps, there are a few options. The simplest would probably be to have a central database where user information is stored that both apps can access. Add Spring Security to both apps. Web app would require user to authenticate and then any time it calls the REST service it provides current user's username/password. REST service would accept username/password and authenticate the user again. This approach would also work if you ever wanted to use your REST services directly without your Web UI.
We will be creating a web application in java.
For User Authentication currently we are using LDAP. But we want to have some other options like application level authentication (from database) , gmail, facebook etc.
Somewhat similar to what stack overflow has on login page.
We will be maintaining a properties file which will consist of all the available options for authentication like LDAP, facebook, gmail etc.
If we want to add one more authentication service we will add it in this properties file and then we will need to add helper file which will do the actual work of doing the authentication.
This should be highly customizable.
I have following questions regarding this,
1) What is the best way to go about this?
2) How to do third party authentication like google, facebook etc?
PS: When we do the authentication using gmail etc, we will need some basic information back to our application which we can use.
One popular solution is Spring Security (which used to be called Acegi). It has various backend authentications and handles openID and LDAP. You could use it with the openID selector mentioned by Abdel. If you google around you can find various plugins to connect with different backend authenticators, including JAAS.
Stackoverflow (Stackexchange) is using a modified version of openid-selector. It is highly customizable and you can add your own selectors as well.
You can authenticate with google, facebook, and other social networking sites using openID or OAuth mechanism. You can make use of many libraries available for java.Have a look at openid4java. You can also refer to this list for libraries as well.
You can get some basic information (Name, Email, Photos etc) from Google, Yahoo or other openid providers.