I’m trying to integrate Nafath (A national identity provider in Saudi Arabia) into keycloak as an identity provider (To have a “login with Nafath”). The main issue is that Nafath is not using any of the standard protocols for authenticating users (OpenID Connect, SAML, …etc). Now to solve this issue I’m thinking of one of two approaches.
Defining a custom login protocol (Nafath Protocol) in keycloak and somehow use this new protocol for defining new identity providers.
Building an adapter app that implements one of the standard protocols (OpenID Connect, SAML, …etc) and uses Nafath APIs to implement the Nafath login flow.
My question is
Is there a way to implement this by the first approach ? is there any other approach this can be done ?
The flow as described in the above image doesn’t redirect to NAFATH to enter credentials and So. Instead, login with Nafath should communicate with NAFATH backend to get a random text to be displayed to the user and also register some callback url to be called upon success/failure. The user then uses NAFATH mobile app to approve the login request by entering the random text that the SP is displaying. Once approved NAFATH server would call the callback url to notify the SP that login is successful. There’s also a variant of this flow where in the last step instead of a callback url SP can periodically check the success of the login request by calling some API on NAFATH server
This method returns a JAX-RS resource that you can use to expose several endpoints, both for the NAFATH service, and for the page above that the user interacts with.
It’s definitely atypical, but I think starting with a stub implementation of IdentityProvider with some logging will help you understand what happens when you initiate the flow.
I can confirm that it’s actually doable, I waited till I can test the whole cycle and it actually worked. I added a custom provider called Nafath and added the needed configuration like Nafath URL, API Key, and Service (Although I couldn’t add the fields on admin console UI but I added them by an API call). Then, I did like you said by customizing the “performLogin” to render the page where the user enters the national id and gets the random number. After that I keep sending a request to keycloak (which in turn asks Nafath) about the status until I get a status other than “Waiting” and this is when I call the /endpoint by a form submit with all the required parameters to authenticate the session. The “callback” function is used to return an object containing all the needed API Endpoints. The only thing that’s left for me now is to add the UI configurations to the broker but I see that we have already a discussion here Custom Identity-Provider properties are not shown · keycloak/keycloak · Discussion #11849 · GitHub and an open issue here Support configurable custom Identity Providers · Issue #15344 · keycloak/keycloak · GitHub . Thanks @xgp for your help !
The issue you’re facing with this request is that Nafath is blocking you for some reason. We had this issue and had to ask Nafath to explicitly allow some IPs from our DEV environment.
Dear @islam56naser Can you please share your solution as we are also facing same issue. We want to integrate with Nafath and want to use their own login flow which is not standard OpenIdc flow.
It would be great if you can share details of your provider.
@razajafarster@tahirmmd Unfortunately I’m not able to share the exact code as it’s part of a proprietary software for the company I work for but if you follow the comments you can see a guideline for how to do this. I’ll also check also with my company to see if this can be made a public plugin for keycloak.
Dear @islam56naser , do you have any update on making this public? Otherwise can you share the name and contact information for your company. My company is seeking to leverage this integration if it was done successfully.
