@julian diving into the hard problems of building for the Fediverse at #Fedicon, starting with hilariously talking about how those hard problems look like to average users 😅
-
@evan @julian @naturzukunft can keycloak parse a non-standard document to discover client metadata? No.
There were very specific reasons why myself and @aaronpk chose to make Client ID Metadata Documents the way we did: because we reused existing parts of the OAuth specification ecosystem.
Your proposal discards all that prior art in favour of making everything an AP actor.
@evan @julian @naturzukunft @aaronpk can keycloak support Client ID Metadata Documents? Currently not to my knowledge, but it's a lot easier to support because it's effectively the same process as dynamic client registration because the document payload is the same.
-
@thisismissem @julian @naturzukunft it does what's necessary to enable the authorization code flow.
I think there's plenty of room for two tracks -- developers who want the complexity of discovery and registration can go your route, when you write it up.
Developers who just want to get the job done can use the simple and functional AP-centric mechanism in the OAuth FEP.
@evan @julian @naturzukunft OAuth isn't AP-centric, and never will be, that's probably your first error. Most OAuth clients will never need to be AP Actors.
Discovery isn't "complex", it's literally a HTTP request to a well known endpoint for a JSON document.
You can't do OAuth whilst ignoring all the OAuth standards.
-
@julian @naturzukunft @thisismissem i don't think there's any assumption that way.
The one thing that the OAuth FEP assumes is that there's a way for the authorization server to validate the client ID and redirect URI by fetching the client ID.
I have not looked closely enough at keycloak to see if there's a way to build a plugin or to have configurable executable code to do that.
This seems like someone who really wants to use that configuration could take a few minutes to confirm.
@julian @naturzukunft @thisismissem
A cursory search shows that it's possible to implement a new ClientLookupProvider with KeyCloak extension SPIs. It sounds like a fun project to do; I don't get a lot of chance to write Java code.
-
@julian @naturzukunft @thisismissem i don't think there's any assumption that way.
The one thing that the OAuth FEP assumes is that there's a way for the authorization server to validate the client ID and redirect URI by fetching the client ID.
I have not looked closely enough at keycloak to see if there's a way to build a plugin or to have configurable executable code to do that.
This seems like someone who really wants to use that configuration could take a few minutes to confirm.
@evan @julian @thisismissem
"I have not looked closely enough at keycloak to see if there's a way to build a plugin or to have configurable executable code to do that."I don't plan to adapt a standard OAuth2 server to support ActivityPub. I think that if that's necessary, something is fundamentally wrong.
-
@evan @julian @naturzukunft OAuth isn't AP-centric, and never will be, that's probably your first error. Most OAuth clients will never need to be AP Actors.
Discovery isn't "complex", it's literally a HTTP request to a well known endpoint for a JSON document.
You can't do OAuth whilst ignoring all the OAuth standards.
@thisismissem @julian @naturzukunft the point of discovery is to find the important endpoints and parameters for the flows. Many implementers who are concentrating on a single API skip discovery because the resource provider has already defined the specific flow. Alternatively, many API providers allow client registration out of band. It is absolutely 100% OK to do OAuth without using features like discovery and dynamic client registration.
-
@evan @julian @thisismissem
"I have not looked closely enough at keycloak to see if there's a way to build a plugin or to have configurable executable code to do that."I don't plan to adapt a standard OAuth2 server to support ActivityPub. I think that if that's necessary, something is fundamentally wrong.
@naturzukunft @julian @thisismissem that's fine; you should do whatever it is you want.
-
@naturzukunft @julian @thisismissem that's fine; you should do whatever it is you want.
@naturzukunft @julian @thisismissem oh, are you going to use Keycloak's built in user database, or are you going to use an adapter to fetch user data from your own database?
-
@naturzukunft @julian @thisismissem oh, are you going to use Keycloak's built in user database, or are you going to use an adapter to fetch user data from your own database?
@naturzukunft @julian @thisismissem oh, it looks like Authentik has ways to do client metadata lookup with a Webhook. Nice!
-
@naturzukunft @julian @thisismissem oh, are you going to use Keycloak's built in user database, or are you going to use an adapter to fetch user data from your own database?
@evan @julian @thisismissem which user data to do what ?
-
@evan @julian @thisismissem which user data to do what ?
@naturzukunft @julian @thisismissem oh, sorry. By default, KeyCloak stores all the user data (name, avatar, description, so on) in its own internal PostgreSQL database, and you get an API to ask about and manage users.
The alternative is to add a custom UserStorageProvider class to access your own user storage and map your data to KeyCloak's schema. Applications that already have a user database often do this.
-
@naturzukunft @julian @thisismissem oh, sorry. By default, KeyCloak stores all the user data (name, avatar, description, so on) in its own internal PostgreSQL database, and you get an API to ask about and manage users.
The alternative is to add a custom UserStorageProvider class to access your own user storage and map your data to KeyCloak's schema. Applications that already have a user database often do this.
@evan @naturzukunft @julian in the wild it's very uncommon to replace Keycloak's user database with something else; most commonly user migrations are performed, having been involved in several such projects.
-
@naturzukunft @julian @thisismissem oh, are you going to use Keycloak's built in user database, or are you going to use an adapter to fetch user data from your own database?
@evan @julian @thisismissem There is a mapping in the resource server between PreferredUsername and an actor. This is a hack; I had to extend it because Mastodon uses the username as a unique identifier. Without Mastodon support, it would be a mapping between IssuerUserId and Actor. The data for the mapping comes from the JWT token.
But that's beside the point.
-
@evan @naturzukunft @julian in the wild it's very uncommon to replace Keycloak's user database with something else; most commonly user migrations are performed, having been involved in several such projects.
@thisismissem @julian great, so that's what
@naturzukunft can do. -
@evan @julian @thisismissem There is a mapping in the resource server between PreferredUsername and an actor. This is a hack; I had to extend it because Mastodon uses the username as a unique identifier. Without Mastodon support, it would be a mapping between IssuerUserId and Actor. The data for the mapping comes from the JWT token.
But that's beside the point.
@naturzukunft @julian @thisismissem I think your point was that any configuration that requires adding plugins or adapters for KeyCloak is a bad architecture, and you're committed to using KC entirely off-the-shelf.
-
@evan @julian @thisismissem There is a mapping in the resource server between PreferredUsername and an actor. This is a hack; I had to extend it because Mastodon uses the username as a unique identifier. Without Mastodon support, it would be a mapping between IssuerUserId and Actor. The data for the mapping comes from the JWT token.
But that's beside the point.
@naturzukunft @evan @julian we have a userinfo endpoint now in mastodon that gives you a unique subject (sub) claim: https://docs.joinmastodon.org/methods/oauth/#userinfo
This is all discoverable via standards that exist in OAuth (with a touch of OIDC language)
-
@naturzukunft @julian @thisismissem I think your point was that any configuration that requires adding plugins or adapters for KeyCloak is a bad architecture, and you're committed to using KC entirely off-the-shelf.
@evan @naturzukunft @julian as Client ID Metadata Documents move through the standards process, I would assume keycloak will adopt them and Client ID Prefixes.
-
@evan @naturzukunft @julian as Client ID Metadata Documents move through the standards process, I would assume keycloak will adopt them and Client ID Prefixes.
@evan @naturzukunft @julian but keycloak being able to understand wtf a json-ld document of type Service or Application is? Incredibly unlikely, especially when the contents within isn't even remotely aligned with the IANA registry for Dynamic Client Registration Metadata values.
-
@evan @naturzukunft @julian as Client ID Metadata Documents move through the standards process, I would assume keycloak will adopt them and Client ID Prefixes.
@thisismissem @naturzukunft @julian but they don't work right now, out of the box? I think that doesn't meet his requirements then.
-
@evan @naturzukunft @julian but keycloak being able to understand wtf a json-ld document of type Service or Application is? Incredibly unlikely, especially when the contents within isn't even remotely aligned with the IANA registry for Dynamic Client Registration Metadata values.
@thisismissem @julian sorry, I don't know what you're talking about.
KeyCloak has an extension mechanism and you can use it to retrieve a Client object from somewhere besides the built-in database. But someone needs to write that plugin. @naturzukunft said it wasn't acceptable for him to use any kind of extension or plugin.
