Search code examples
spring-security-oauth2openid-connectkeycloakopenid-provider

Creating an openid connect identity provider to secure rest APIs

I am having trouble finding an effective solution for the following requirements.

a. For an ios/android user to be able to register to our app. With a custom signup process because photo ID will be required.

b. If approved, sign in using the created account and have access to backend apis (made in springboot).

c. No external identity provider such as facebook or google is allowed.

The best product I have found that fits our microservices design is keycloak. However, the documentation really lacks and have found no good examples of this being implemented.

Screenshot of creating keycloak identity provider

So I gone through some configuration with keycloak with aerogear for ios and have the following questions.

  1. As this is not basic authentication I believe the flow needed is Authorization Code Flow. However, in the documentation is says "These IDPs must support the Authorization Code Flow" But what does this mean? as this is not in the keycloak settings anywhere.

  2. Where will the users be stored once they have gone through this flow- inside keycloak or in an external database?

  3. Currently the flow is set to "first broker login" but this gives an error on the app, invalid redirect url.

Solution

  • I am working on similar use case currently. I have 4 diffirent authentication method. I try to develop custom user federation and custom identity provider. I have not much experience about keycloak but, i can suggest my opinions.

    Check Keycloak Custom User Federation

    It means that, to use diffirent datasource (or process) while Keycloak username / password login

    see =>

    1. http://www.keycloak.org/docs/3.0/server_development/topics/user-storage/simple-example.html
    2. https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c

    Check Custom Identity Provider

    It means that, delegate authentication process to external identity provider.

    If I understood correctly your usecase, your want to manage authentication process by self (with custom page or custom flow).

    If I understood correctly, you need to delegate authentication process to your custom service. So you need to develop a custom provider (or a small fake provider service) and you need to configure this provider to keycloak as openid connect.

    For 1 => Yes, you will use Authorization Code Flow. You can read openid connect from offical page, but i suggest that, you must check this page https://connect2id.com/learn/openid-connect. After read this, you can clearly understand openid connect and Authorization Code Flow.

    There are two main method (service end point) (there for orginal providers) for create a Authorization Code Flow

    • /auth
    • /token You will see required paramters on link.

    When you configure these service end point url to keycloak (see => http://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html)

    Keycloak will show you a button on login page. Keycloak will redirect to your /auth service endpoint with required parameters like redirect_url, scope.. help with this button. (you need to store this parameters to session or a cache because, they will be needed in the next step of Authorization Code Flow) Now you can apply your custom authentication process.

    After your process (if valid user), You need to create a code (must be unique like uuid and you need to store your authentication informations on a cache or a map => key is code value is your data) you need to response redirect (302 or 303) to redirect_url with authentication code and state parameters. (You need to store this code, it will be required).

    After redirect Keycloak direct call your /token and point with paramters like code client_id, client_secret... (client_id and client_secret for your provider security, you will understand after read link.)

    You need to match your authentiocation data using with code and you must to response a 200 message with contains access_token and refresh_token (in jwt format) see again link.

    If you create this flow right, Keycloak will accept your user and authenticate on its own context.

    For 2 => You will select First Login Flow while you are configuring identity provider (openid connect). It means that, when Keycloak does not include user, they accept this user but, it will ask you required informations like firstname, email, lastname. You can send firstname and lastname in access_token (as claim in jwt => in access_token response)

    Keycloak will insert this user its own database.

    For 3 => I take invalid redirect url exception when i configure wrong redirect url. Make sure that, your application domain address is same with configured client address.

    I hope these informations are useful to you.