You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@isis.apache.org by Anton Hughes <ku...@gmail.com> on 2016/01/18 18:56:20 UTC
Integration with Keycloak?
Hello
I am interested in knowing if it is possible to integrate keycloak, and if
yes, how would this be done?
Thanks and kind regards
Anton
Re: Integration with Keycloak?
Posted by David Tildesley <da...@yahoo.co.nz>.
Hi Anton,
Having just read all about Keycloak and the fact it is ASL 2.0 licensed, I think that is an excellent idea. Apache Shiro has the advantage with it's fine grained permission model and role to application permission mapping but Keycloak is a much more comprehensive access manager that can provide SSO across multiple applications, support Social network authentication, REST API authentication etc. But it does overlap with some of the recent user management features in the ISIS-Addons.Looks like Keycloak and Shiro could work together with Keycloak asserting the authentication and Identity attributes and roles with Shiro continuing to offer the fine grained permission model based on the asserted roles and it's role to permisson mapping.
How you would go about doing that, I am not the best person to ask, but really keen to see Keycloak integrated.
Regards,David.
On Tuesday, 19 January 2016 6:56 AM, Anton Hughes <ku...@gmail.com> wrote:
Hello
I am interested in knowing if it is possible to integrate keycloak, and if
yes, how would this be done?
Thanks and kind regards
Anton
Re: Integration with Keycloak?
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Following on, I've raised ISIS-1297 for this feature request.
https://issues.apache.org/jira/browse/ISIS-1297
On 24 January 2016 at 12:31, Dan Haywood <da...@haywood-associates.co.uk>
wrote:
> Hi Anton,
>
> and welcome to the users mailing list.
>
> Yes, it should be possible to integrate keycloak, and there are several
> approaches you could take.
>
> As described in our security guide [1] Apache Isis has a pluggable API for
> both authentication and authorization, so at the lowest level one could
> take implement either/both of these plugin points.
> Apache Isis has two integrations, one for Shiro and one called "bypass"
> (which basically disables security). So one could ignore Apache Isis'
> Shiro integration and implement everything yourself.
>
> However, (as David alludes to), it would probably make more sense to build
> upon the Isis Add-ons security module [2], which builds upon the Shiro
> integration by providing an implementation of a Shiro Realm. This is
> described in [3]. In fact, I would suggest that keycloak would be used as
> a delegate realm within the Isis addons' security module.
>
> In other words, the design that you could use is:
>
> Apache Isis -> Shiro -> Isis addons security realm -> Isis addons
> delegate realm
>
> This last realm would be implemented using Keycloak.
>
> The documentation in the security module [4] and [5] might also help to
> explain this.
>
> Note that this design would use Keycloak for authentication (validate
> credentials and lookup roles), with the security module taking
> responsibility for authorization. If you wanted authorization to be
> performed by keycloak, then we'd need to look at a different design.
>
> ~~~
> Let me know if you're interested in helping implement this feature; I'd be
> happy to provide more guidance either via mailing list or offline.
>
> Cheers
> Dan
>
>
> [1] http://isis.apache.org/guides/ugsec.html
> [2] https://github.com/isisaddons/isis-module-security
> [3]
> http://isis.apache.org/guides/ugsec.html#_ugsec_shiro-isisaddons-security-module-realm
> [4] https://github.com/isisaddons/isis-module-security#application-users
> [5]
> https://github.com/isisaddons/isis-module-security#shiro-configuration-shiroini
>
> PS: I noticed in the course of writing this reply that some of the images
> in the security guide [1] were missing; these have now been fixed.
>
>
>
>
> On 18 January 2016 at 17:56, Anton Hughes <ku...@gmail.com> wrote:
>
>> Hello
>>
>> I am interested in knowing if it is possible to integrate keycloak, and if
>> yes, how would this be done?
>>
>> Thanks and kind regards
>> Anton
>>
>
>
Re: Integration with Keycloak?
Posted by Dan Haywood <da...@haywood-associates.co.uk>.
Hi Anton,
and welcome to the users mailing list.
Yes, it should be possible to integrate keycloak, and there are several
approaches you could take.
As described in our security guide [1] Apache Isis has a pluggable API for
both authentication and authorization, so at the lowest level one could
take implement either/both of these plugin points.
Apache Isis has two integrations, one for Shiro and one called "bypass"
(which basically disables security). So one could ignore Apache Isis'
Shiro integration and implement everything yourself.
However, (as David alludes to), it would probably make more sense to build
upon the Isis Add-ons security module [2], which builds upon the Shiro
integration by providing an implementation of a Shiro Realm. This is
described in [3]. In fact, I would suggest that keycloak would be used as
a delegate realm within the Isis addons' security module.
In other words, the design that you could use is:
Apache Isis -> Shiro -> Isis addons security realm -> Isis addons
delegate realm
This last realm would be implemented using Keycloak.
The documentation in the security module [4] and [5] might also help to
explain this.
Note that this design would use Keycloak for authentication (validate
credentials and lookup roles), with the security module taking
responsibility for authorization. If you wanted authorization to be
performed by keycloak, then we'd need to look at a different design.
~~~
Let me know if you're interested in helping implement this feature; I'd be
happy to provide more guidance either via mailing list or offline.
Cheers
Dan
[1] http://isis.apache.org/guides/ugsec.html
[2] https://github.com/isisaddons/isis-module-security
[3]
http://isis.apache.org/guides/ugsec.html#_ugsec_shiro-isisaddons-security-module-realm
[4] https://github.com/isisaddons/isis-module-security#application-users
[5]
https://github.com/isisaddons/isis-module-security#shiro-configuration-shiroini
PS: I noticed in the course of writing this reply that some of the images
in the security guide [1] were missing; these have now been fixed.
On 18 January 2016 at 17:56, Anton Hughes <ku...@gmail.com> wrote:
> Hello
>
> I am interested in knowing if it is possible to integrate keycloak, and if
> yes, how would this be done?
>
> Thanks and kind regards
> Anton
>