[keycloak-dev] redirects vs. javascript logins

Bill Burke bburke at redhat.com
Fri Jul 26 08:22:58 EDT 2013


Aren't iframe/popups usually disabled?

On 7/26/2013 5:12 AM, Stian Thorgersen wrote:
> We can still support a similar experience though. With the combination of customizable forms and iframe/popup we can still allow developers to integrate the forms into applications.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 26 July, 2013 9:48:55 AM
>> Subject: Re: [keycloak-dev] redirects vs. javascript logins
>>
>> Yes, I don't know why I missed that. As you say login and logout has to be
>> done through redirects as long as HttpOnly is set on the cookie.
>>
>> EventJuggler simply links to the login page, but logout is a XHR and as you
>> say that would have to be a redirect as well.
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Thursday, 25 July, 2013 5:57:56 PM
>>> Subject: [keycloak-dev] redirects vs. javascript logins
>>>
>>> To do SSO, keycloak server sets a session cookie so that the user
>>> doesn't have to relogin if the cookie is set.  This will have issues
>>> with the custom login, like the way the Event Juggler app works.
>>> Correct me if I'm wrong, but for Event Juggler, the login page is hosted
>>> at the Event Juggler website?  And the app would do an HTTP invocation
>>> to obtain the token, correct?
>>>
>>> The problem with this approach is that we wouldn't be able to set the
>>> login session cookie as all cookies will be HttpOnly and not accessible
>>> via javascript (due to security issues).  So, SSO would not work, and
>>> the user would have to relogin for each additional site they visited.
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list