keycloak encapsulates third-party logins (community logins) and goes through three main processes:
- Open the community authentication page and enter your account password or scan the code to complete the authentication on the community
- 302 redirection by the community to return to the keycloak page
- keycloak and the community to complete an oauth2 authorization code authentication, through the community to return the code to get the token, and then through the token to get the community on the user's information, in the process, the community does not need to keycloak public user's password, which is also a manifestation of the security of oauth2
- keycloak checks if the user is bound to its own local user, if not, enter the
First Certification Streamcarry outenrollmentorBinding now has users, completing the correspondence with the community, in which the keycloak pairs issue theFEDERATED_IDENTITY_LINKevent - After the user completes the binding, the
Post one certification stream, something to be done after completing the login, if the user has already completed the binding, then theFirst Certification StreamIt won't come in.
Extension of the callback address
- When the community authentication is successful, it will jump to keycloak's community authentication flow
- When the keycloak community authentication flow is complete, it will go to the standard authentication flow
- After the standard authentication flow is complete, it rewrites to the source page with the keycloak code code
- At this point, the source page has and only has the code code as a parameter, if we wish to expand the parameters on the url, we need the following steps
Add the loginType parameter to the community callback address
- () method to add operations on the loginType
private Response finishBrokerAuthentication(BrokeredIdentityContext context, UserModel federatedUser,
AuthenticationSessionModel authSession, String providerId) {
(AuthenticationProcessor.BROKER_SESSION_ID, ());
(AuthenticationProcessor.BROKER_USER_ID, ());
(federatedUser);
().authenticationFinished(authSession, context);
("loginType", providerId);
...
}
- () method, get the loginType and add it to the URL parameter of the callback path
code = (session, clientSession, codeData);
(, code);
// TODO: Append the user's login type to the callback page after successful login
if (().containsKey("loginType")) {
String loginType = ().get("loginType"); ("loginType", "loginType")
("loginType", loginType);
}
FEDERATED_IDENTITY_LINK refinement
- The default binding message, with less content, does not meet our needs
{
"time": 1723099954167,
"type": "FEDERATED_IDENTITY_LINK",
"realmId": "fabao",
"clientId": "pkulaw",
"userId": "e62a4ea6-c1c3-4f10-9136-8ceebba45339",
"sessionId": null,
"ipAddress": "111.198.143.194",
"error": null,
"details": {
"identity_provider": "carsi",
"identity_provider_identity": "student@",
"code_id": "6668189e-4cd6-488e-8582-d28b87636b41",
"username": "phone202408081431274571"
}
}
To extend the message, you need to follow these steps
- Add the following code to the method
// The community binding now has a user after the event FEDERATED_IDENTITY_LINK is sent, we need to add some extended information
(Details.IDENTITY_PROVIDER, providerId); (Details.IDENTITY_PROVIDER_USERNAME, providerId)
(Details.IDENTITY_PROVIDER_USERNAME, ()); //(Details.IDENTITY_PROVIDER_USERNAME, ()).
("identity_provider_username", ()));
- After adding it, we add identity_provider_username for the FEDERATED_IDENTITY_LINK event message
{
"time": 1723101725866,
"type": "FEDERATED_IDENTITY_LINK",
"realmId": "fabao",
"clientId": "pkulaw",
"userId": "347c9e9e-076c-45e3-be74-c482fffcc6e5",
"sessionId": null,
"ipAddress": "10.10.80.81",
"error": null,
"details": {
"identity_provider": "carsi",
"identity_provider_username": "student@",
"identity_provider_identity": "6zETJRPrWiBi7B85cCHPoVD7dyI\u003d",
"code_id": "c344f279-9786-468b-a67e-fecf39c531b0",
"username": "test"
}
}