[keycloak-dev] Automatically login user to application when logged into realm

Stian Thorgersen stian at redhat.com
Tue Oct 22 11:22:45 EDT 2013 

Let's see if I can manage to explain this properly.

The flow is:

1. Application redirects to '../auth/request/login'
1.1. If user is not logged in to realm display login form
1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already have grants display oauth grant page
2. If successful redirect to application with authorization code
3. Application retrieves access token from '../access/codes'

With the current flow there is no way for an application to check if a user is already logged-in to the realm (+ grants given). So the only options would be to either:

* Redirect to '../auth/request/login' when application is first loaded - which would display login form or oauth grant form if required
* Require user to click on a login link to login first

If you simply add an option to '../auth/request/login' it will allow the application to obtain an authorization code without requiring any input from the user. This is only possible if the user is logged in to the realm and the user has already granted the application permissions (or it's a KEYCLOAK_APPLICATION). The application still needs to do step 3 just as it would at the moment.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 22 October, 2013 4:01:39 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
> 
> So how are you obtaining/managing user credentials?  Through the
> application's pages?  Or through Keycloak auth-server pages?

In my opinion applications should always use the login forms on Keycloak, and it would be seen as bad practice of making the user provide username/password directly to the application.

> 
> You need an access token.  Otherwise you can't access any remote REST
> services.

Yes of course, this is just a mechanism to obtain an authorization code without user input (if possible)

> 
> On 10/22/2013 10:21 AM, Stian Thorgersen wrote:
> > To retrieve an access code an application is required to redirect the user
> > to the login page. If the user is already logged-in to the realm the user
> > is just redirected back to the application. If the user is not already
> > logged-in the login form is displayed.
> >
> > This means that if an application tries to automatically login users when
> > they open the application it will require the user to fill in the login
> > form if the user is not logged in.
> >
> > What's needed is a way for the application to find out if the user is
> > already logged in to the realm. If it is the user can be automatically
> > logged-in. This is what I achieved by adding the 'noforms' query parameter
> > to the 'auth/request/login'.
> >
> > This mechanism would be especially convenient for HTML5 applications as it
> > would allow users to be "re-loggedin" without having to store
> > authorization tokens (or even worse refresh tokens) on the client side. On
> > a page refresh you'd simply just call the "can I get an access code
> > without user input" endpoint to retrieve one.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 22 October, 2013 3:05:25 PM
> >> Subject: Re: [keycloak-dev] Automatically login user to application when
> >> logged into realm
> >>
> >> I don't know what you mean.  Single sign on is the first thing that was
> >> implemented for Keycloak and should work.  What you describe should
> >> *already* exist in the codebase.
> >>
> >> On 10/22/2013 9:11 AM, Stian Thorgersen wrote:
> >>> Currently there's no mechanism for an application to automatically login
> >>> a
> >>> user that is already logged in to the realm.
> >>>
> >>> I've added a proposal to
> >>> https://github.com/stianst/keycloak/tree/auto-sso.
> >>> It's a simple approach where all it does is to add an optional 'noforms'
> >>> query parameter to 'auth/request/login'. If noforms is specified a code
> >>> is
> >>> returned only if the user is already logged in to the realm + grants are
> >>> already given (as grants are not saved currently that will never be the
> >>> case). Otherwise it will return error=access_denied.
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list