CODEWITHSUNDEEP
authenticationkeycloakopenid-connectidentity
Dimitri Tenenbaum
Dimitri Tenenbaum

Reputation: 219

OpenID Connect authentication provider for legacy user management?

We have a self-developed proprietary user management and self-developed Single Sign-on. (OpenID Connect wasn't born at that time)
Our authentication server and our thick clients are in a private network, without internet access.
The task is to integrate a third-party thick client - its users should authenticate against our existing authentication server.
The general idea is to use an existing future-oriented framework which offers a standard authentication interface (like Keycloak?) and implement our own OpenID Connect authentication provider (or User storage SPI for keycloack).
Is the way with keycloack and User storage SPI recommendable or are there better approaches?

Upvotes: 0

Views: 562

Answers (2)

Kayes
Kayes

Reputation: 592

I can vouch for Keycloak User Storage SPI approach. Recently implemented this for a project and it is working pretty well. For any existing user-database I highly recommend it.

I found some example source on github that you could look at (although needed some modification to run it): https://github.com/mfandre/KeycloakSPI

I have also written an article summarizing my findings working with Keycloak in case you're interested in other features: https://dev.to/kayesislam/keycloak-as-oidc-provider-42ip

It's extremely customisable.

Upvotes: 0

Gary Archer
Gary Archer

Reputation: 29243

As you say, this is a good choice for meeting your immediate requirements:

  • External client uses a modern OpenID Connect flow - eg OIDC for desktop apps
  • It connects to an Authorization Server with support for standards based endpoints
  • Authorization Server has extensible support for data sources and can potentially reach out to your existing user data source

As an example, Curity, where I work, supports multiple data sources and there is a free community edition if useful.

Any provider that meets the same requirements would be fine though - and I've heard some good things about Keycloak.

LONGER TERM

It makes sense to then gradually update other apps to use modern OAuth and OIDC behaviour.

At a suitable point it is worth making the Authorization Server the only place from which Personally Identifiable user data is accessed, and moving the storage there. See this data privacy article for some advantages of this.

Upvotes: 0

Related Questions