Brokering non-OIDC oAuth 2.0 identities

Hi there,

I am evaluating using Keycloak as a broker for various Identity Providers. It seems to tick all the boxes of what we need.

Unfortunately while trying to get a proof of concept working it looks like Keycloak only support OIDC identity providers - noticably requiring an ‘openid’ scope to be sent along, something the non-OIDC application doesn’t understand.

The enforcement of the ‘openid’ scope seems to have been implemented to be compliant with the actual OIDC spec in https://issues.redhat.com/browse/KEYCLOAK-3237 which introduced my “problem”.

Additionally I understood from some other Discourse posts that some of the shipped social identity providers are actually non-OIDC either and have a standard oAuth 2.0 implementation as well, although the admin UI only allows for creating OIDC based providers.

Is there any way to use ‘plain’ oAuth 2.0 identity providers with Keycloak? I couldn’t find extensions that add support for this either and it won’t be feasible to write custom Keycloak extensions for every non-OIDC identity provider that will need to be added.

Any suggestions would highly appreciated - Keycloak definitely looks like a great piece of software that will take away a lot of bootstrapping & security optimizations, if able to be (made to) work with plain old oAuth too :slight_smile:.

Thanks!

Most “plain” OAuth2 IdPs are likely configurable using Keycloak’s generic OIDC IdP type. Post here which one you’re trying to implement with a link to the developer docs for it, and I’ll take a crack at a configuration.

If that’s doesn’t work, it’s possible to implement your own IdP providers, just as you have noticed that some of the included social identity providers have done. This is a little more work, but is also something that this list can help you with.

@xgp Highly appreciate it. One of the earliest attempts was using accounting software Moneybird. It’s less about the identity of the user and more about brokering the connectivity to a specific administration. See the developer docs at https://developer.moneybird.com/ for the API and Auth info. You can signup and create a sandbox administration for free to create a test oAuth application.

The request currently breaks down because the openid scope is always added to the authorization request, a scope that Moneybird doesn’t recognize.

With regards to implementing own IdP providers, I’d need to dig into it to see if this a feasible approach. Do you know which ones are “plain” OAuth for me to take a look at the code?

Anything that extends AbstractOAuth2IdentityProvider :
https://www.keycloak.org/docs-api/13.0/javadocs/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.html

BitbucketIdentityProvider, FacebookIdentityProvider, GitHubIdentityProvider, InstagramIdentityProvider, LinkedInIdentityProvider, MicrosoftIdentityProvider, OIDCIdentityProvider, OpenshiftV3IdentityProvider, OpenshiftV4IdentityProvider, PayPalIdentityProvider, StackoverflowIdentityProvider

1 Like

@Purer I made a start for implementing it. I can’t find any docs about how to get userinfo from the Moneybird API, so I sent their support an email. This should get you started on implementing.

1 Like

@xgp This is great! Thanks a lot for this stub!

My Java is a little rusty to say the least, so I’m going to try to figure out how to get the Keycloak dev env up & running to be able to further expand on your example. The docs seem to provide some pointers on this.

I’m very curious to their reply on your OIDC query. As far as I know they don’t provide an UserInfo or similar endpoint either. Users are actually a relatively un-important entity in their context (which is similar to us - which is why I’m still having the lingering thought if I’m trying to push a square peg in a round hole, when trying to use Keycloak to establish OAuth brokering to get access to administrations more so than the actual connecting users).

They added a userinfo endpoint when I asked them about it, but it looks like there are still some bugs in it. I’ve updated the repo to reflect the updated API. Pull the most recent version, and you should get something that is close to working.

If you want to see the full exchange I had with Moneybird, send me your email in a message, and I’ll forward it to you.

@xgp Hiya, I saw your commit and their workaround being just retrieving the first administration. Not quite sure of the implications of that and should test that further.

I can’t find any way to send you a direct message or contact you here… Any suggestion how I can provide my email to you privately or vice versa with your details :slight_smile:? Quite interested to see the full thread and potentially follow up with them later too.