Keycloak SPI to handle legacy API Key Tokens

209 views
Skip to first unread message

Markus Kienleitner

unread,
Apr 30, 2021, 8:16:50 AM4/30/21
to Keycloak Dev

Is there a way to handle legacy API Tokens that are stored in an external DB?

Legacy Users from external DB already connected with a UserStorageProvider SPI.

I can distinguish between the type of token if it is a legacy Token or not. If it is a legacy token, I want to load it from the external DB and validate the token, otherwise, go the default Keycloak way.

The API key is sent in the Authorization Header as a bearer token.

I tried it with an Authenticator SPI but afaik is it only to, as the name says, authenticate. 

Is that the correct SPI "oauth2 token introspection"?

Or are there any other possibilities to implement the legacy OAuth2 Token Validator? 

Stian Thorgersen

unread,
May 3, 2021, 5:18:54 AM5/3/21
to Markus Kienleitner, Keycloak Dev
Doesn't seem like it should be Keycloak's responsibility to validate tokens issued by something else. Are all your apps using token introspection? If so I guess you could implement a custom token introspector, although it does feel a bit incorrect. STS of course also comes to mind in this scenario.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/12623970-d1b3-4c18-806e-a85efde49ca3n%40googlegroups.com.

Markus Kienleitner

unread,
May 3, 2021, 5:47:07 AM5/3/21
to Keycloak Dev

The problem is that there is already an OAuth implementation (Restlet OAuth Extension). However, Restlet has deprecated this extension and we would like to switch to Keycloak. 

Users, Oauth clients, and tokens are stored in a DB and should be supported for some time. To the outside world, as little as possible of the change should be apparent - a seamless transition.

Since there is already an existing implementation that is tightly coupled to the backend, we have such UCs as an interim solution.

Users can be processed easily and quickly with the UserStorageProvider, we have to migrate OAuth clients as far as possible and the tokens are still the big problem. 
Reply all
Reply to author
Forward
0 new messages