Hi Anton,
and welcome to the users mailing list.
Yes, it should be possible to integrate keycloak, and there are several
approaches you could take.
As described in our security guide [1] Apache Isis has a pluggable API for
both authentication and authorization, so at the lowest level one could
take implement either/both of these plugin points.
Apache Isis has two integrations, one for Shiro and one called "bypass"
(which basically disables security). So one could ignore Apache Isis'
Shiro integration and implement everything yourself.
However, (as David alludes to), it would probably make more sense to build
upon the Isis Add-ons security module [2], which builds upon the Shiro
integration by providing an implementation of a Shiro Realm. This is
described in [3]. In fact, I would suggest that keycloak would be used as
a delegate realm within the Isis addons' security module.
In other words, the design that you could use is:
Apache Isis -> Shiro -> Isis addons security realm -> Isis addons
delegate realm
This last realm would be implemented using Keycloak.
The documentation in the security module [4] and [5] might also help to
explain this.
Note that this design would use Keycloak for authentication (validate
credentials and lookup roles), with the security module taking
responsibility for authorization. If you wanted authorization to be
performed by keycloak, then we'd need to look at a different design.
~~~
Let me know if you're interested in helping implement this feature; I'd be
happy to provide more guidance either via mailing list or offline.
Cheers
Dan
[1] http://isis.apache.org/guides/ugsec.html
[2] https://github.com/isisaddons/isis-module-security
[3]
http://isis.apache.org/guides/ugsec.html#_ugsec_shiro-isisaddons-security-module-realm
[4] https://github.com/isisaddons/isis-module-security#application-users
[5]
https://github.com/isisaddons/isis-module-security#shiro-configuration-shiroini
PS: I noticed in the course of writing this reply that some of the images
in the security guide [1] were missing; these have now been fixed.
On 18 January 2016 at 17:56, Anton Hughes <kurren...@gmail.com> wrote:
> Hello
>
> I am interested in knowing if it is possible to integrate keycloak, and if
> yes, how would this be done?
>
> Thanks and kind regards
> Anton
>
