直接访问授权使用外部身份提供商(IDP)的KeyCloak

huangapple go评论98阅读模式
英文:

Direct Access Grant with KeyCloak using external Identity Provider (IDP)

问题

我想使用“直接访问授权”(Direct Access Grant)来对接 KeyCloak 进行身份验证:https://www.keycloak.org/docs/latest/server_admin/index.html#resource-owner-password-credentials-grant-direct-access-grants

当 KeyCloak 自行管理用户和密码时,这项功能效果非常好。

但是,我的情况有所不同:

我希望 KeyCloak 充当某个外部 IDP 的代理。KeyCloak 具有身份代理功能,但仅在“授权码流”(Authorization Code flow)中起作用,将用户重定向到外部 IDP 登录表单。
我有一个移动应用程序,希望使用“直接访问授权”,以便应用程序与 KeyCloak 进行通信以对用户进行身份验证 - 然后 KeyCloak 作为代理,在外部 IDP 中对该用户进行身份验证(使用 openid-connect)。

如何实现这种情况?我知道这在现有功能中不可能实现,但也许有人可以指导如何编写 KeyCloak 的扩展来实现这种情况呢?

英文:

I would like to authenticate against KeyCloak using "Direct Access Grant": https://www.keycloak.org/docs/latest/server_admin/index.html#resource-owner-password-credentials-grant-direct-access-grants

I works like a charm when keycloak manages users and passwords on its own.

But, my scenario is different:

I would like keycloak to act a Broker to some external IDP. KeyCloak has identity brokering feature - but in only works in "Authorization Code flow" - redirecting user to external IDP login form.
I have mobile app and would like ot use "direct access grant" - so that app comunicates with keycloak to authenticate user - and keycloak, as a broker, authenticates this user (using openid-connect) in external IDP

How to achieve such scenario ? I know that it is not possible out of the box - but maybe somebody could advice how write an extension to keycloak do make this scenario possible ?

答案1

得分: 8

无论您试图以这种方式实现什么,都直接违反了OAuth和OpenID Connect的设计初衷。使用访问令牌的整个概念是允许某个依赖方(例如移动应用程序)代表用户与服务进行交互,而不必看到用户的凭据(如密码)。

想象一下,假设您有手机上的某个应用程序。它可以利用Google的某些服务。为了这样做,它会提供给您使用Google登录并授予该应用程序访问权限的选项。现在,您是否想通过将您的Google电子邮件和密码直接输入应用程序来这样做?当然不是。那样可能会使它完全控制您的Google帐户,其他应用程序和使用您的Google身份的网站,可能还包括允许您通过Google钱包支付的服务... 简单地将您的Google登录信息交给某个手机应用程序将是不明智的。

因此,使用OAuth2或OpenID Connect,您可以使用授权代码流或隐式流,使用户被重定向到身份提供者(在我们的示例中是Google),他们将完成登录过程,然后身份提供者将重定向回应用程序或网站,并提供可交换为令牌或者对于隐式流程来说是令牌本身的授权代码。

现在,当它是您自己的应用程序和您自己的身份提供者(例如Keycloak),它们都在您的控制之下,实际上并不重要。您可以使用直接授权,只需让用户在应用程序中输入他们的用户名和密码,因为您知道它并不试图窃取用户凭据以恶意使用您的服务。它们都在您的控制之下。在这种情况下,OAuth或OIDC有点过于复杂,但您可以为直接授权(您自己的应用程序)和授权代码流(使用您的服务的第三方应用程序)设置单独的客户端。然而,当您想要使用Keycloak身份代理时,外部身份提供者(如Google或Facebook)不会提供直接授权,并邀请应用程序窃取其用户的凭据。因此,您将无法以这种方式与它们进行交互。

根据您试图实现的目标,您可能会在令牌交换过程中找到一些用途。然而,如果您的想法是要求用户在应用程序中使用其外部身份提供者的凭据登录,而无需重定向... 不要这样做。

英文:

Whatever it is you are trying to achieve this way, it goes directly against what OAuth and OpenID Connect were designed for. The whole idea of using access tokens is to allow some relying party (such as a mobile app) to interact with a service on behalf of the user without ever getting to see the user's credentials (like a password).

Think of it like this. Let's say you have some app on your mobile phone. It can make use of certain services by Google. In order to do so it offers you to log in with Google and grant the app access. Now, would you want to do so by putting your Google email and password directly into the app? Of course not. That could give it complete control over your Google account, other apps and sites using your Google identity, possibly services that allow you to pay through your Google wallet... It would be insane to simply hand some phone app your Google login.

So instead with OAuth2 or OpenID Connect you can use the authorization code flow or implicit flow to have the user redirected to the identity provider (Google in our example) where they will complete their login process, and then the identity provider redirects back to the app or a site with an authorization code that can be exchanged for tokens or, for the implicit flow, the tokens themselves.

Now, when it's your own app and your own identity provider (like Keycloak) which are under your control it doesn't really matter. You can use a direct grant to simply have the user input their username and password into the app because you know it's not trying to steal user credentials to maliciously use your service. They're both under your control. In that case OAuth or OIDC are a bit overkill, but you could have separate clients for direct grants (your own app) and authorization code flows (third-party apps using your service). When you want to use Keycloak identity brokering, however, an external identity provider like Google or Facebook is not going to offer a direct grant and invite apps to steal their user's credentials. So you won't be able to interact with them this way.

Depending on what you're trying to achieve you may find some use in the token exchange process. If however the idea is that you want your user to log in with their external identity provider credentials, in your app, without a redirect... Don't.

答案2

得分: 1

这是一个真实的用例,不幸的是,Keycloak没有直接解决这个问题的方法。AWS的“用于服务账号的IAM角色”功能是基于令牌交换的,使用外部身份提供者进行直接访问授权。我在这个讨论中找到了关于如何解决Keycloak中这种缺乏支持的方法,但不确定是否解决了所有的用例 - https://lists.jboss.org/pipermail/keycloak-user/2017-January/009272.html

英文:

This is a real use case, unfortunately Keycloak doesn't have a direct way of solving this issue. AWS's "IAM Roles for Service Account" feature works based on token exchange with direct access grant using external IDP. I found this discussion on how to workaround this lack of support in Keycloak but not sure if it solves all the usecases - https://lists.jboss.org/pipermail/keycloak-user/2017-January/009272.html

答案3

得分: 0

你是否在移动应用中坚持使用直接访问授权作为用户身份验证的方法?依我之见,当身份提供者是第三方服务且不提供用于验证用户的 API 时,您需要使用授权码流程;即使是对于您自己的(第一方)身份提供者,最好也使用授权码流程,正如在 OAuth 2.0 安全性最佳现行做法 第2.4节中所述。

要在移动应用中实施授权码流程,您需要使用应用内浏览器选项卡来显示身份提供者提供的登录屏幕。详细信息请参阅 RFC 8252:移动和原生应用的 OAuth 2.0

英文:

Do you stick with Direct Access Grant as a method of user authentication in your mobile app? In my opinion, you need to use Authorization Code Flow when the IDP is a third party service as it won't provide an API to authenticate users, and even with your own (first party) IDP, it'd be better to use Authorization Code Flow as stated in OAuth 2.0 Security Best Current Practice section 2.4.

To implement Authorization Code Flow in mobile apps, you will need to use in-app browser tab to show login screen provided by the IDP. Please refer to RFC 8252: OAuth 2.0 for Mobile and Native Apps for details.

huangapple
  • 本文由 发表于 2020年8月21日 21:15:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/63523622.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定