[keycloak-dev] SaaS login

Bill Burke bburke at redhat.com
Tue Aug 6 09:03:46 EDT 2013 

Feel free to keep arguing, but I don't agree yet.  The admin UI is not a 
remote application, it is served up by the same web app as where the 
REST services driving it are deployed.  This is a very important 
distinction.  Because of this, the protocol can be much more efficient.

OAuth requests:

1. GET app URL
2. redirect from app to token service, display login screen
3. submit login
4. redirect back to app
5. Make a separate non-browser HTTP request to obtain access code

Also, in steps 1-5 a client is involved.  This client is requesting 
access on behalf of the user.  So, step 2 requires knowledge of the 
client id.  It actually checks to see if the client is even allowed to 
display a login screen.  Step 3 needs to check if the client requires 
the OAuth Grant page, it also registers an access code which is 
transmitted to the client in step 4  The client will turn this access 
code into a token in step 5.

Also, step 2 involves setting a "state" cookie who's value is also 
embedded in the redirect url in step 2.  The state value is 
retransmitted in the redirect URL in step 4.  And step 5 validates the 
"state" cookie

Saas login

1. Get login screen
2. submit login, response is the admin UI

This algorithm doesn't involve a client at all.  Also, if you look at 
the admin UI it has no knowledge of a token.  It just makes REST 
requests which are authenticated by a session cookie.  Remote 
applications actually work in the same exact way after they obtain their 
token.  They set a session cookie and store identity in the server's 
HttpSession.  For keycloak, we store the identity in the session cookie 
so we can have stateless backend.






On 8/6/2013 4:23 AM, Stian Thorgersen wrote:
> IMO that's a mistake, there's a lot of duplicated code, and you'll also want to support social login etc. (so more duplicated code) or SaaS when/if it comes to a free "trial" online.
>
> As admin is a JavaScript application it is clearly a remote application and could login the same way as any other remote application does, i.e. through TokenService. The only difference in the two scenarios is that for the admin rest endpoints it would be a small optimization to allow validating the token without a remote call, which would be beneficial for folks that wants to use keycloak for smaller internal deployments (e.g. a single app server running a rest/js style app).
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 5 August, 2013 7:26:06 PM
>> Subject: Re: [keycloak-dev] SaaS login
>>
>> TokenService is really for a remote service that is using keycloak to
>> authenticate.  Its all the same server so no need for the extra
>> redirects and thus no need for the Token Service endpoints.
>>
>> On 8/5/2013 11:14 AM, Stian Thorgersen wrote:
>>> I was wondering why there are separate login/logout endpoints in
>>> SaasService? Should this not use the standard mechanism to do this (i.e.
>>> TokenService)?
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list