Use keycloak tokens instead of generating our own ones when serving client auth requests #672
Comments
Keycloak doesn't support User profile images so we will need to generate gravatar URLs in api/user/show. |
Another problem to solve. We are currently using "uuid" as a unique userID in JWT key which maps to uuid DB primary key for Identity. But keycloak use it's own users ID and unique user names and returns it in the token as "sub" and "preferred_username" claims. We could solve it by saving the keycloak's "sub" value in Identity.uuid when creating an Identity instead of generating a new uuid in DB or introducing a new attribute to the model object + a field in DB - "username". I would try to use the "sub" value as Identity.uuid for now... @aslakknutsen @kwk any thoughts? |
…lient auth requests Fixes fabric8-services#672
…lient auth requests Fixes fabric8-services#672
@alexeykazakov can you please give examples of how the tokens look like in the different systems, or can you add pointers to the documentation of each system's user/identity representation? That would simplify the discussion a lot. |
Here is an example of payload from KC token:
|
Here is a suggestion for updated User/login model and how we can fit it in our IDPs models. What we currently have is:Identity (represents a user)
User
Proposed model:User (represents a user account in our system)
Login I actually don't like this name. Can we call it Identity Provider User or somewhat else to avoid confusions? This is a representation of user provided by some particular Identity Provider such as: a) Our Keycloak; b) GitHub (for remote WI's); c) JIRA (for remote WI's), etc.
When a user is logging in we authenticate in our Keycloak (which uses developers.redhat.com as the default IDP). A new Login is created. We use uuid of the Keycloak user. idp="keycloak". We also create a User and associate these User - Login. We return the retrieved Keycloak token which will be used by UI for authentication. So there is a strong assassination between a token and a keyclaok Login. When we import a remote WI (from JIRA, github, etc) we create a Login which is not associated with any User yet. Open question: how we associate remote WI's (imported from github, etc) with User. We would need some manual workflow for that. This update will requre a massive refactoring in almighty-core (and ui probably too) :-( |
…lient auth requests Fixes fabric8-services#672
…lient auth requests Fixes fabric8-services#672
…lient auth requests Fixes fabric8-services#672
…lient auth requests Fixes fabric8-services#672
…lient auth requests Fixes fabric8-services#672
Use keycloak tokens instead of generating our own ones when serving client auth requests Fixes #672
Use keycloak tokens instead of generating our own ones when serving client auth requests Fixes fabric8-services#672
No description provided.
The text was updated successfully, but these errors were encountered: