Open vinay03 opened 4 days ago
Hi @vinay03 this is great to have oauth2/openID connect integration, this is a super useful and highly requested feature. I don't have any experience using keycloak so I hope you can help me clear up some questions I have.
az login
, it will actually pop up a web browser page asking you to authenticate. I don't actually know how the token gets back the cli tool. 2) we can require the user to create an API key for CLI logins, rather than redirecting to a web page, so this is a different auth flow than user login. This is what github requires if you've enabled 2FA on your account. I would probably suggest this latter flow as I can understand how it works.
Summary
We can setup Keycloak as an Identity Provider (IdP) for both authentication and authorization while maintaining the existing user management system as the primary user system. For this we will have to use user storage provider interface. For e.g. https://github.com/b1-systems/keycloak-user-storage-test
This way, we would be able to use Keycloak for handling authentication and token management, while the pre-existing user system manages the user data and business logic. The whole integration will work as an optional extension to the current existing user management system. There are some builtin mechanism like
clients
to manage SaaS infrastructure in keycloak for supporting Multi-tenancy. And also we can integrate keycloak roles module using the existing casbin library that we are already using in EdgeCloud code.Flows
Code Changes
We have to implement a Keycloak User Federation Provider and a user storage provider interface which will communicate with existing user system either internally or via API. This will handle user authentication, and lookups allowing Keycloak to validate credentials and retrieve user data.
Design Changes
Login Form We can add a
Login using SSO
button below the existingLog In
button.Register Form We can add
Join using SSO
button before theCreate New Account
title on register form.@levshvarts @gainsley Could you please share your thoughts on this to have more clarity?