Keycloak Nafath Integration

Hello everyone,

I’m trying to integrate Nafath (A national identity provider in Saudi Arabia) into keycloak as an identity provider (To have a “login with Nafath”). The main issue is that Nafath is not using any of the standard protocols for authenticating users (OpenID Connect, SAML, …etc). Now to solve this issue I’m thinking of one of two approaches.

  1. Defining a custom login protocol (Nafath Protocol) in keycloak and somehow use this new protocol for defining new identity providers.

  2. Building an adapter app that implements one of the standard protocols (OpenID Connect, SAML, …etc) and uses Nafath APIs to implement the Nafath login flow.

My question is

Is there a way to implement this by the first approach ? is there any other approach this can be done ?

1 Like

The best place to start is to look at the IdentityProvider and IdentityProviderFactory interfaces and their various implementations.
https://www.keycloak.org/docs-api/21.1.1/javadocs/org/keycloak/broker/provider/IdentityProvider.html
https://www.keycloak.org/docs-api/21.1.1/javadocs/org/keycloak/broker/provider/IdentityProviderFactory.html
Implementing those would be the easist way to add an Identity Provider for Nafath. If you encounter any problems, feel free to post information about their protocol here.

I already checked both classes but now I’m stuck on how to implement the flow using them.

Here’s the flow for login with Nafath

The flow as described in the above image doesn’t redirect to NAFATH to enter credentials and So. Instead, login with Nafath should communicate with NAFATH backend to get a random text to be displayed to the user and also register some callback url to be called upon success/failure. The user then uses NAFATH mobile app to approve the login request by entering the random text that the SP is displaying. Once approved NAFATH server would call the callback url to notify the SP that login is successful. There’s also a variant of this flow where in the last step instead of a callback url SP can periodically check the success of the login request by calling some API on NAFATH server

I haven’t really seen one like this, but I still think it might possible. The methods you want to look at are:

javax.ws.rs.core.Response performLogin​(AuthenticationRequest request);

You can use this to return a page with the logic to “Request Access id” and “Display Random Text” as well as poll for a result.

Object callback​(RealmModel realm, IdentityProvider.AuthenticationCallback callback, EventBuilder event);

This method returns a JAX-RS resource that you can use to expose several endpoints, both for the NAFATH service, and for the page above that the user interacts with.

It’s definitely atypical, but I think starting with a stub implementation of IdentityProvider with some logging will help you understand what happens when you initiate the flow.

Thanks for the response, I think you’re right this can actually work.

If you can share, please post what you come up with. This is an interesting/novel use case.

HI , have you resolved this issue? i am also facing kind of issue with nafath integration i ll be needed your help if you can please.

I can confirm that it’s actually doable, I waited till I can test the whole cycle and it actually worked. I added a custom provider called Nafath and added the needed configuration like Nafath URL, API Key, and Service (Although I couldn’t add the fields on admin console UI but I added them by an API call). Then, I did like you said by customizing the “performLogin” to render the page where the user enters the national id and gets the random number. After that I keep sending a request to keycloak (which in turn asks Nafath) about the status until I get a status other than “Waiting” and this is when I call the /endpoint by a form submit with all the required parameters to authenticate the session. The “callback” function is used to return an object containing all the needed API Endpoints. The only thing that’s left for me now is to add the UI configurations to the broker but I see that we have already a discussion here Custom Identity-Provider properties are not shown · keycloak/keycloak · Discussion #11849 · GitHub and an open issue here Support configurable custom Identity Providers · Issue #15344 · keycloak/keycloak · GitHub . Thanks @xgp for your help !

1 Like

The issue you’re facing with this request is that Nafath is blocking you for some reason. We had this issue and had to ask Nafath to explicitly allow some IPs from our DEV environment.

Hi Islam, could you please advise how to get the Nafath API documentation.

Please advise to get the Nafath API documentation. Thank you

Did you get the complete solution for the same > If yes, Could you please share ?

1 Like

Dear @islam56naser Can you please share your solution as we are also facing same issue. We want to integrate with Nafath and want to use their own login flow which is not standard OpenIdc flow.

It would be great if you can share details of your provider.

@razajafarster @tahirmmd Unfortunately I’m not able to share the exact code as it’s part of a proprietary software for the company I work for but if you follow the comments you can see a guideline for how to do this. I’ll also check also with my company to see if this can be made a public plugin for keycloak.

Dear @islam56naser , do you have any update on making this public? Otherwise can you share the name and contact information for your company. My company is seeking to leverage this integration if it was done successfully.

Hii, Can anyone tell me which authorisation Nafath website is using SAML or oauth. If not which authorisation Nafath is using now. Is any cookies concept they using instead of token ?

Thank to this Article which help quite in integrating the nafath with keycloak. Actually, the solution is exactly in the answer just not that much well explained and detailed. I’ve done this integration end-to-end and anyone if want the integration can contact me on ali.ravian1308@gmail.com. Will love to sort out your queries. If any want the whole integration, I can provide the paid end-to-end solution.