OAuth to OIDC ( Keycloak)

Question

hello guys i need some help

is it possible to change OIDC service to OAuth??

My OAuth api serves

login service with request parameters:
- response_type (only code)
- client_id
- redirect_uri and returns request_token to redirect_uri with get method
access token request with request parameters:
- client_id
- code and returns access_token, token_type, expires_in, token_client_id
get user info with request parameters:
- client_id
- access_token and returns userinfo

I'm trying to use OIDC Connect of Datahub( https://datahubproject.io/) and i need to apply my own OAuth Service as OIDC

Is it possible via Keycloak or any other Solutions?

Bench Vue · Answer 1 · 2022-07-26T17:59:38.643

Yes, Keycloak can do it converts from OAuth to OIDC service My understand , just simply this equation.

OIDC(authentication) = OAuth(authorization) + user information + single sign on

What's the difference between OpenID and OAuth?

OpenID Configuration Endpoint

{{keycloak url with port}}/auth/realms/{{realm-name}}/.well-known/openid-configuration

example

{
    "issuer": "http://localhost:8180/auth/realms/test",
    "authorization_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/auth",
    "token_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/token",
    "introspection_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/token/introspect",
    "userinfo_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/userinfo",
    "end_session_endpoint": "http://localhost:8180/auth/realms/test/protocol/openid-connect/logout",
    "frontchannel_logout_session_supported": true,
    "frontchannel_logout_supported": true,
    "jwks_uri": "http://localhost:8180/auth/realms/test/protocol/openid-connect/certs",
    "check_session_iframe": "http://localhost:8180/auth/realms/test/protocol/openid-connect/login-status-iframe.html",
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials",
        "urn:ietf:params:oauth:grant-type:device_code",
        "urn:openid:params:grant-type:ciba"
    ],
...
}

Keycloak supports OAuth 2.0 response_types (code, id_token, token, none and combinations those) detail information here

{{keycloak url with port}}/auth/realms/{{realm-name}}/protocol/openid-connect/auth?response_type=code&client_id=myClient-name

Get access token, refresh token and id token by token endpoint

{{keycloak url with port}}/auth/realms/{{realm-name}}/protocol/openid-connect/token

example

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhN0JkQ3VDU0dKWGphMmxsc1Z4dlhHcWRvUmpwZllTcGRwQ2lnUGJUZHFFIn0.eyJleHAiOjE2NTg4ODUyMTksImlhdCI6MTY1ODg0OTIxOSwianRpIjoiOGRjYzY2NWMtYmQzNC00YWNlLTkwMDctMzVkNTNjOGE4M2RiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiJiMDY1NTRlMi1kYzhiLTQzZGQtYjU2NC1kYTc2ZDJjZDk5MjAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiNjc4Zjc3MzYtYjBjMC00NTQ5LThhOTMtMjE2ZTExMDkxYzdmIiwiYWNyIjoiMSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwiLCJzaWQiOiI2NzhmNzczNi1iMGMwLTQ1NDktOGE5My0yMTZlMTEwOTFjN2YiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InVzZXIiLCJlbWFpbCI6InVzZXJAdGVzdC5jb20ifQ.WA1DNg0w4u7QuJrr4WHv7FZVpnNFoamVMjIocPhDiESeLrLd_jsv0aIh-46ELQDgsuAUmDQ6WvaezImcgMGGSj9SzlCUIrf8ikWOG5xXyA63y5cFjgK0UJV1_BGbVK7Ct3U-F4sOljlYEigBFz4z7_J73VH5RqeF9NJqk72l8ifr8ys_apAPkm67a8Un5HPzA0glgTLqxLOk2f_MAQJFUpJuJPKq-DPmlL8NJ6wu30DES38dWNwE11LnDKFILLMUBYd6ptfl4x7_fxLNMT7pilfn53FLh4t7mTUl2U045TH0wPiTTcBTq42w5RpTrbSpQYSuNC8kkszVxgz64odAXw",
    "expires_in": 36000,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjNGUxNzdhMi01NDUwLTQ3MDItYjY5Ny1jMjc3MGQyNTM3ZjYifQ.eyJleHAiOjE2NTg4NTEwMTksImlhdCI6MTY1ODg0OTIxOSwianRpIjoiZGZkYWMyNGMtY2VkZC00NTliLTk4MDUtYjlhYTc2MmNiYTkwIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvdGVzdCIsInN1YiI6ImIwNjU1NGUyLWRjOGItNDNkZC1iNTY0LWRhNzZkMmNkOTkyMCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiNjc4Zjc3MzYtYjBjMC00NTQ5LThhOTMtMjE2ZTExMDkxYzdmIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6IjY3OGY3NzM2LWIwYzAtNDU0OS04YTkzLTIxNmUxMTA5MWM3ZiJ9.E97KFCR5Y19PV2rtu_EGBR5sEsx81xyxGdJG4baczaw",
    "token_type": "Bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhN0JkQ3VDU0dKWGphMmxsc1Z4dlhHcWRvUmpwZllTcGRwQ2lnUGJUZHFFIn0.eyJleHAiOjE2NTg4ODUyMTksImlhdCI6MTY1ODg0OTIxOSwiYXV0aF90aW1lIjowLCJqdGkiOiIzZDE5OGMyMi05YmQ2LTQzOWYtOTQyNS1mNGRhYjE1YWRjZTAiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvdGVzdCIsImF1ZCI6ImFkbWluLWNsaSIsInN1YiI6ImIwNjU1NGUyLWRjOGItNDNkZC1iNTY0LWRhNzZkMmNkOTkyMCIsInR5cCI6IklEIiwiYXpwIjoiYWRtaW4tY2xpIiwic2Vzc2lvbl9zdGF0ZSI6IjY3OGY3NzM2LWIwYzAtNDU0OS04YTkzLTIxNmUxMTA5MWM3ZiIsImF0X2hhc2giOiJhUnJGUk9yRG1kdlpET0ZybDczOFRBIiwiYWNyIjoiMSIsInNpZCI6IjY3OGY3NzM2LWIwYzAtNDU0OS04YTkzLTIxNmUxMTA5MWM3ZiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidXNlciIsImVtYWlsIjoidXNlckB0ZXN0LmNvbSJ9.rWXPImJ1t9jw_qhUi_pox5q2Y0F03RiQKSFEfctTUGMtDOnu05lGo92gGD4k4_NcWo105dIO--ZBJzbWlGr3ZdKUqq_9WdXMWMbPLHTxNqprkAQY4Y61C1cbtv5mhyqpzzOELRB-nL38rlU2916SR5iNlixcsHH-LwFQhR4xrCPsQE4JcqGBoxiy1TTmsNa4JC3DWW8oaRz17wI5U8_13dD0z1ek214BDdLU9AXhQiYi4lPOZ06yXjT611zbJXsmMK-NxVcxAa0-ObDQrBVeSp-l2pFmH5ngqnghvLtme-fjFa9tL-i0t1TGzWWm-iVTx21OEe0bmdXMdFGvdQKZWg",
    "not-before-policy": 0,
    "session_state": "678f7736-b0c0-4549-8a93-216e11091c7f",
    "scope": "openid profile email"
}

User Information Endpoint

{{keycloak url with port}}/auth/realms/{{realm-name}}/protocol/openid-connect/userinfo example

{
    "sub": "b06554e2-dc8b-43dd-b564-da76d2cd9920",
    "email_verified": false,
    "name": "Tom Cruise",
    "preferred_username": "user",
    "given_name": "Tom",
    "family_name": "Cruise",
    "email": "user@test.com"
}

Token Introspect Endpoint

{{keycloak url with port}}/auth/realms/{{realm-name}}/protocol/openid-connect/token/introspect example

{
    "exp": 1658885219,
    "iat": 1658849219,
    "jti": "8dcc665c-bd34-4ace-9007-35d53c8a83db",
    "iss": "http://localhost:8180/auth/realms/test",
    "sub": "b06554e2-dc8b-43dd-b564-da76d2cd9920",
    "typ": "Bearer",
    "azp": "admin-cli",
    "session_state": "678f7736-b0c0-4549-8a93-216e11091c7f",
    "preferred_username": "user",
    "email": "user@test.com",
    "email_verified": false,
    "acr": "1",
    "scope": "openid profile email",
    "sid": "678f7736-b0c0-4549-8a93-216e11091c7f",
    "client_id": "admin-cli",
    "username": "user",
    "active": true
}

I don't know about Datahub But Keycloak provide middleware for multiple languages.

Java, Javascript, Python, Spring Boot, Angular, React

And many features. Single Sign On, Federation for LDAP, IdP most SNS login brokers(google, gitbub, facebook, linkedin, instagram and so on), role base access control. here and detail

thanks a lot! i've adapted ldap authentification but it will help next time. — lubby, Aug 22 '22 at 15:52
You can also use Keycloak as an integration platform to hook it into existing LDAP and Active Directory servers. It means import(sync.) LDAP's user into Keycloak. And Keycloak's role based access control like a to access API resource access control. — Bench Vue, Aug 22 '22 at 23:10

OAuth to OIDC ( Keycloak)

1 Answers1

Linked