Sunbird-ED (Sunbird for Education)
[RFC] Loosely coupled Keycloak #239
Replies: 2 comments 9 replies
-
|
@coolbung - thanks for initiating this thread. @rajeevsathish @reshmi-nair - tagging you to this thread. |
Beta Was this translation helpful? Give feedback.
-
|
@coolbung We have started with the design. Will share the first draft by Friday and then we can schedule a discussion with DC. |
Beta Was this translation helpful? Give feedback.
-
|
@coolbung Pls find the first draft on Authentication changes [Document link]. I will be updating on the GoogleAuth today.(https://docs.google.com/document/d/1dRHyorJUD1VHxL219yreyV9irCsJBrJNV_pcPFDARNc/edit#) |
Beta Was this translation helpful? Give feedback.
-
|
@coolbung Updated on Google OAuth, please review and share your thoughts. |
Beta Was this translation helpful? Give feedback.
-
|
@reshmi-nair - Can you let us know when the final design document is ready? |
Beta Was this translation helpful? Give feedback.
-
|
@reshmi-nair - any update on the design document please? |
Beta Was this translation helpful? Give feedback.
-
|
@Krishnaj20 I don't see Release/ETA added for this yet in the roadmap. |
Beta Was this translation helpful? Give feedback.
-
|
@manojLondhe, @Krishnaj20 In Lern, design and POC on OIDC is part of release-5.2.0 tasks. So mostly in release 5.3.0 we should be able to pickup this from Lern side. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. Any tentative date of when 5.3 will be expected timeline wise? |
Beta Was this translation helpful? Give feedback.
-
|
Lern does one release a quarter, and 5.2 is expected to go live by the end of March. The next release (5.3) should be available around mid June. |
Beta Was this translation helpful? Give feedback.
-
We wish to enable the below capabilities with the Sunbird Keycloak
1. Allow integrating any OpenID compatible authentication source (Eg: Google, Okta, Azure AD, GitHub etc)
Right now, Sunbird ED implements a Keycloak SPI that connects to the Cassandra user data for authentication. If anyone has an existing Authentication Provider (eg: Azure AD or even an existing Keycloak that has users) then it is not possible to leverage that user store along with Sunbird ED. Similarly, Google Login is directly built into the portal. So adding other providers may need changes to Portal code.
Ideally this should be delegated to Keycloak, since it has built in capabilities to integrate with any OpenID provider.
The SPI may still be used to sync email/phone number updates made in Keycloak to Sunbird since the phone and email are used for notifications.
2. Ability to connect to an existing Keycloak
If an adopter has an existing Keycloak instance that has users, after implementing #1 above, they will need to add their existing Keycloak as a OpenID provider in Sunbird ED's keycloak.
What would it take to allow the adopter to use the existing Keycloak ?
3. Flexible realm management
Today, users across tenants are added to the same realm in Keycloak. We wish to have flexibility so that each tenant can have a realm mapped, and users of that tenant will be added to the respective realm. It should be also possible to map multiple tenants to the same realm.
cc @rayuluv @rhwarrier
Beta Was this translation helpful? Give feedback.
All reactions