The obvious solution is to use a phpBB extension or the LDAP authentication provider as a way to get login's from Keycloak. That won't be a problem I am hoping.
What I am looking at however is how to get the users from phpBB to the Keycloak login system. I am sure I will be able to copy the users manually from the database into the Keycloak database. However it appears there is another way to accomplish this and that is using phpBB as an Identity provider (IdP). The main idea being that if a user tries to login to Keycloak and the user is not found, it then delegates to the next provider to look for login credentials.
I believe an extension could be developed that allows phpBB to check if a user exists and their password is valid and then return that confirmation to Keycloak. That way if the user is not yet in the Keycloak database it would move them over and then take over the authentication the next time the user tries to login.
Has anyone ever tried to use phpBB to provide identities using LDAP, SAML, JWT or others? Would this be an extension that others would be interested in?
I imagine the workflow would look like this:
- phpBB relies on Keycloak through OpenID Connect or LDAP for authentication.
- Keycloak handles authentication and storing the user's main login data.
- If user does not exist in Keycloak, it checks the phpBB database for user as a delegated provider.
- If user exists in phpBB it moves user to Keycloak.
- If user does not exist in phpBB it creates the user in Keycloak and then creates a user in phpBB.
The extension would leverage phpBB's built in functions to check if the user exists, has the correct password and then return a valid login response, no user found or an error (wrong password). I imagine it wouldn't be overly complicated but would need to operate with security in mind to prevent bots from having an easy way to try and crack passwords of course.