Update home IdP discovery to use new SPI

p2-inc / keycloak-orgs

Single realm, multi-tenancy for SaaS apps

https://phasetwo.io

Other

418 stars 72 forks source link

Update home IdP discovery to use new SPI #235

Open xgp opened 6 months ago

xgp commented 6 months ago

https://github.com/sventorben/keycloak-home-idp-discovery/pull/346

rtufisi commented 4 months ago

New Home IdP Discovery

Screenshot from 2024-07-20 08-36-33

rtufisi commented 4 months ago

@xgp I was looking at the old form of the Home IdP Discovery config.

Screenshot from 2024-07-20 08-46-29

Is the 'Required a Verified Email' and 'Required a Verified Domain' still required? Are these our implementations?

rtufisi commented 4 months ago

I believe this is the new 'verifiedEmail' Screenshot from 2024-07-20 08-51-42

xgp commented 4 months ago

@rtufisi

Is the 'Required a Verified Email' and 'Required a Verified Domain' still required? Are these our implementations?

Yes. Those are for our implementations. We will still need 'Required a Verified Domain'

I believe this is the new 'verifiedEmail'

It looks like he added this to the default.

rtufisi commented 4 months ago

Could you please give me a example on how to use the IdpSelectorAuthenticator?

rtufisi commented 4 months ago

@rtufisi

Is the 'Required a Verified Email' and 'Required a Verified Domain' still required? Are these our implementations?

Yes. Those are for our implementations. We will still need 'Required a Verified Domain'

Done

I believe this is the new 'verifiedEmail'

It looks like he added this to the default.

It seems to me that our implementation flag "verifiedEmail" and the source flag "forwardUserWithUnverifiedEmail" have opposite logic @xpg. Does this impact our logic? How could we proceed without affecting the clients?

xgp commented 4 months ago

I think we would have to run a "migration" in a postInit method to load all existing instances of our Authenticator and migrate their configurations.

xgp commented 4 months ago

Pulling the home idp extension is currently blocked by it not being in Maven Central. See https://github.com/sventorben/keycloak-home-idp-discovery/issues/400

Going to try pulling the library in locally with the Maven system scope:

<dependency>
    <groupId>com.sample</groupId>
    <artifactId>sample</artifactId>
    <version>1.0</version>
    <scope>system</scope>
    <systemPath>${project.basedir}/src/main/resources/Name_Your_JAR.jar</systemPath>
</dependency>

Interim plan if this ^^^ works:

Import the compatible home idp jar into a libs/ directory in the keycloak-orgs repo
In our distribution/docker image phasetwo-containers repo, import it into the libs/ext/ dir
Document in the README that it is necessary to include the home idp jar
Eventually PR his repo with an example of how to release to maven central

rtufisi commented 4 months ago

Hei @xgp . I've created a first example of how we could use the home idp extension as a library. There are several things that block us from using it as a library but I've created a PR on how to use it.

Please check: https://github.com/p2-inc/keycloak-orgs/pull/259/files#diff-ca14b1065de1812332188294559f0f7398a15bb862c910f8d94fb83b1a6ce41b

In order to start the project locally use the following config: Screenshot from 2024-07-27 14-38-42

rtufisi commented 4 months ago

@xgp from my point of view to be able to fully implement a authenticator using "home IdP discovery" as a library we would need the following:

AbstractHomeIdpDiscoveryAuthenticatorFactory to allow a custom authenticator logic

public final Authenticator create(KeycloakSession session) {
    return new HomeIdpDiscoveryAuthenticator(this.discovererConfig);
}

In this way we could implement our custom Authenticator behaviour

Some classes exposed as public HomeIdpForwarderConfigProperties, HomeIdpAuthenticationFlowContext etc.