I am trying to use Keycloak as my OIDC provider for a specific use case of CSC API v2, where in section 8.4.2 oauth2/authorize we should use parameters that are CSC API specific for authorization, for example numSignatures, hashes, signatureQualifier, etc.
Using Keycloak, we can define new client scopes service and credential and configure mappers that behave as required according the CSC API specification (using custom mapper developed in Java or JavaScript). So far so good. Client can use these scopes and get the access token.
However, when we send auth request with custom parameters, how we can configure or setup Keycloak to do a decision based on such custom parameters?
A typical request can look like this:
GET https://www.example.org/oauth2/authorize?
response_type=code&
client_id=<OAuth2_client_id>&
redirect_uri=<OAuth2_redirect_uri>&
scope=credential&
code_challenge=K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U&
code_challenge_method=S256&
signatureQualifier=eu_eidas_qes&
numSignatures=1&
hashes=MTIzNDU2Nzg5MHF3ZXJ0enVpb3Bhc2RmZ2hqa2zDtnl4&
hashAlgorithmOID=2.16.840.1.101.3.4.2.1&state=12345678
Based on the request, we would like to check the the client/user has access to specified signatureQualifier, otherwise reject.
What is the proper way how to do this? There are more custom parameters I would like to check and decide based on their values.
Should we use Keycloak Authentication SPI to develop custom authenticator and custom attributes that are managed to be compliant with the CSC API specification and its authorization?
I have not found any other way, and I would like to be sure that this is the proper way how to implement it in Keycloak.
Yes, you need to implement a custom Authenticator and define a custom AuthenticationFlow or modify your existing one.
After validating the parameters and the user's permissions, you can use *Mappers to map those validated values into the access token.