Skip to content
This repository has been archived by the owner. It is now read-only.
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

README.md

Cyclone Federation Provider

Components:

Keycloak in combination with MongoDB and SimpleSamlPHP as a samlbridge.

Please see the documentation for Keycloak, MongoDB, SimpleSamlPHP and Docker for more information.

Provider connection architecture

![architecture] (https://raw.githubusercontent.com/cyclone-project/cyclone-federation-provider/master/docs/cyclone-diagram.png)

Configuration

Configure Keycloak and SimpleSamlPHP by editing the files in components/keycloak/config or components/samlbridge/config respectively.

The Keycloak database is persisted (by default) in data/keycloak/db. Import configuration for keycloak by adding the keycloak-export.json to data/keycloak/exports and editing docker-compose.yml.

The provided keycloak-export.json includes:

Default Users for Keycloak:

Username Password
admin admin
owner owner
user user
guest guest

Default Clients for Keycloak:

Client Id Redirect Uri
slipstream *
portal *
test *

Deployment

Build and run with Docker and Docker Compose by executing docker-compose up.

By default, Keycloak listens at http://localhost:9080 and SimpleSamlPHP at http://localhost:8080/samlbridge

Authn/Authz with keycloak

NOTE: Underlying standard is OpenId-Connect, specifically the Authorization Code Flow.

  1. User tries to access a protected resource.

  2. User is redirected to: http(s)://(keycloak)/auth/realms/(realm)/protocol/openid-connect/auth?client_id=(client_id)&redirect_uri=(redirect_uri)&response_type=code

  3. User login happens with any of the methods supported by keycloak.

  4. After successful login, user is redirected to (redirect_uri) with a code: (redirect_uri)/?code=(code)

  5. Use this code to retrieve a set of JSON Web Tokens (JWT):

    POST /auth/realms/(realm)/protocol/openid-connect/token
    Content-Type: application/x-www-form-urlencoded

    grant_type: authorization_code
    code: (code)
    redirect_uri: (redirect_uri)
    client_id: (client_id)


    Response:
    {
        "access_token": (base64 encoded JWT),
        "expires_in": (time),
        "refresh_token": (base64 encoded JWT),
        "refresh_expires_in": (time),
        "token_type": "bearer",
        "id_token": (base64 encoded JWT),
        "not-before-policy": (policy),
        "session-state": (session-state)
    }
  1. Refresh set of tokens, as necessary:
    POST /auth/realms/(realm)/protocol/openid-connect/token
    Content-Type: application/x-www-form-urlencoded

    grant_type : refresh_token
    refresh_token : (refresh_token)
    redirect_uri : (redirect_uri)
    client_id : (client_id)


    Response:
    {
        "access_token": (base64 encoded JWT),
        "expires_in": (time),
        "refresh_token": (base64 encoded JWT),
        "refresh_expires_in": (time),
        "token_type": "bearer",
        "id_token": (base64 encoded JWT),
        "not-before-policy": (policy),
        "session-state": (session-state)
    }
  1. Log out by redirecting the user to: http(s)://(keycloak)/auth/realms/(realm)/tokens/logout?redirect_uri=(redirect_uri)

About

Example of Cyclone Federation provider together with Wordpress and SSH server. For demonstration purposes

Resources

Releases

No releases published

Packages

No packages published