Using keycloak as login application for ORY Hydra
346 views
Skip to first unread message
Roos
Jun 2, 2022, 3:31:42 AM6/2/22
to Keycloak User
Hi,
I'm working on a project aiming at providing 2FA and WebAuthn
authentication in an existing system.
I'm evaluating whether we can use Keycloak for this.
The existing system uses ORY Hydra as OAuth 2.0 authorization server.
Hydra admits a "login application" implementing Hydra's login flow:
https://www.ory.sh/docs/hydra/concepts/login
Replacing ORY Hydra is not the scope of the project.
The objective of the project is to implement a login application providing
multiple authentication flows (such as username+password+2FA,
Username+WebAuthn, WebAuthn+Password).
After the server administration's documentation on authentication protocols
(https://www.keycloak.org/docs/latest/server_admin/index.html#sso-protocols)
I get the impression that the best course of action is to implement an
adapter WebApplication that receives the User-Agent (e.g. web browser) from
Hydra, performs an authentication with Keycloak thus sending the
user-agent to keycloak and after authenticating with keycloak and
receiving the user-agent back, inspect both the identity and access
token to complete Hydra's login flow and finally send the user-agent back
to Hydra.
While this would certainly work, it seems extremely sluggish to use SSO
in the implementation of the authentication.
I wonder whether it would be a better idea to implement an additional
SSO protocol (as an extension maybe?).
What are your thoughts on this?
Best regards,
Roosembert Palacios
I'm working on a project aiming at providing 2FA and WebAuthn
authentication in an existing system.
I'm evaluating whether we can use Keycloak for this.
The existing system uses ORY Hydra as OAuth 2.0 authorization server.
Hydra admits a "login application" implementing Hydra's login flow:
https://www.ory.sh/docs/hydra/concepts/login
Replacing ORY Hydra is not the scope of the project.
The objective of the project is to implement a login application providing
multiple authentication flows (such as username+password+2FA,
Username+WebAuthn, WebAuthn+Password).
After the server administration's documentation on authentication protocols
(https://www.keycloak.org/docs/latest/server_admin/index.html#sso-protocols)
I get the impression that the best course of action is to implement an
adapter WebApplication that receives the User-Agent (e.g. web browser) from
Hydra, performs an authentication with Keycloak thus sending the
user-agent to keycloak and after authenticating with keycloak and
receiving the user-agent back, inspect both the identity and access
token to complete Hydra's login flow and finally send the user-agent back
to Hydra.
While this would certainly work, it seems extremely sluggish to use SSO
in the implementation of the authentication.
I wonder whether it would be a better idea to implement an additional
SSO protocol (as an extension maybe?).
What are your thoughts on this?
Best regards,
Roosembert Palacios
Reply all
Reply to author
Forward
0 new messages