[keycloak-dev] Automatically login user to application when logged into realm

Stian Thorgersen stian at redhat.com
Wed Oct 23 14:18:09 EDT 2013 

Ignore HTML5 and JavaScript it has nothing to do with this issue!

See comment inline:

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 23 October, 2013 7:06:20 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
> 
> 
> 
> On 10/23/2013 12:50 PM, Stian Thorgersen wrote:
> > I don't see how that would work. The server-side adapter doesn't set a
> > cookie until after the user has logged in (the cookie is also specific to
> > the application). The only thing that knows if a user is logged in to the
> > SSO realm is Keycloak itself. At the moment there's no way for an
> > application (client or server side) to check this without ending up
> > showing the login form if it isn't!
> >
> 
> You don't need to know if you are logged into the auth-server.  You just
> need to know if you are logged into the application.
> 
> > What you want to be able to do is to have users automatically logged in to
> > applications (on different servers, with different application
> > credentials) once a user has logged in to a single application.
> >
> > Either I've failed to explain the use-case properly, or there's something
> > about what you're proposing I'm not understanding. Just to make sure I'm
> > explaining the use-case properly, I'll try again:
> >
> > A company has an internal Keycloak server, they have a single realm with
> > multiple internal applications. All applications are hosted on different
> > servers. Let's imagine this company is called Red Hat. The user, let's
> > call him Stian, first goes to the OrangeHRM to book some long overdue
> > holiday. He's not currently logged in to the realm so is is shown an
> > anonymous access screen instead with a login link. Stian presses login,
> > fills in username and password and successfully logs in to the realm. Now
> > Stian wants to go to docspace, again Stian has to press the Login link,
> > but doesn't have to provide a username or password, but instead is simply
> > redirected back to the application as a logged in user. Stian is actually
> > a bit confused about this as he just logged in to an application without
> > providing a username or password.
> >
> 
> The demo currently works like this:
> 
> 1. User access app1
> 2. User redirected to auth-server
> 3. Auth-server logs in sets cookie for auth-server.com
> 4. auth-server redirects back to app1
> 5. App1 gets access token
> 6. App1 does role mappings stores in HttpSession
> 7. App1 knows user is logged in because of HttpSession (standard Servlet
> stuff)
> 8. User visits app2
> 9. App2 redirects to auth-server

This is where the problem lies. If the user is not logged in to the realm the login form will be displayed. So you can not automatically redirect the user to the auth-server! You would have to wait until the user clicks on the login link. This means if there's 10 apps the user has to click on login 10 times!

> 10. auth-server sees auth-server.com domain login cookie, redirects back
> to app2
> 11. user can access app2 right away without credentials.
> 12. user goes back to app1.  User is still logged in there because the
> HttpSession is still valid
> 
> Now add your HTML5 app.  HTML5 will also need to maintain a "session".
> I can do this via a session cookie for HTML5's domain
> 
> 12. User visits HTML5, HTML5 looks for a session loggin cookie for
> HTML5's domain.  Doesn't find one, so it automatically redirects to
> auth-server
> 13. Auth-server sees user is already logged in, redirects back to HTML5 app
> 14. HTML5 app gets access token, sets a session loggin cookie
> 15. User goes back to App2.  App2 knows user is logged in because of
> App2 session cookie.
> 16. user goes back to HTML5.  HTML5 app knows user is logged in because
> of session cookie
> 15. HTML 5 app wants to logout and login as a different user
> 16. Logout action dumps the HTML5-domain session cookie
> 17. Logout action sends CORS HTTP request to auth-server to logout user
> cross-domain.  Auth-server invalidates auth-server session cookie on
> response.
> 
> HTML5 clients are allowed to set cookies.
> 
> The HTML5 app would work exactly the same as servlet security except the
> browser would handle all the authentication within javascript.  There's
> improvements we need to make with refresh tokens, but the core of the
> protocol is there.
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list