[keycloak-dev] Automatically login user to application when logged into realm

Stian Thorgersen stian at redhat.com
Thu Oct 24 05:17:10 EDT 2013 

No worries, it's one of those things that happens with trying to explain something over email/IRC.

I think it should be an optional feature support by all adapters. For the AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' ({..., 'auto-login' : true }?). If it's enabled and the first request is to an unsecured resource it would redirect to 'auth/login?prompt=none'. I'm happy to add a proposal to the AS7 adapter if you'd like.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 23 October, 2013 10:01:41 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
> 
> I guess I see what you mean.  You want to be able to show a
> login/register links on the *application's* page and not just redirect
> immediately to the keycloak screens when you first visit the page.  I
> guess I'm thinking too old school Java EE app that would automatically
> bring you to the login screen if you access secured content.  I feel
> like a dinosaur sometimes.  Too bad I still have 20 year until I retire.
> 
> Apologies for wasting your time.
> 
> Gonna have to figure out how to support this scenario for a traditional
> web app too.
> 
> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
> > Yes I read your response and yes I have played with your demo.
> >
> > Let's then revisit this with the demo in mind, and you can tell me where
> > I'm mistaken.
> >
> > I visit http://localhost:8080/customer-portal/. The urls '/admins/*'
> > require the admin role and '/customers/*' requires the user role. If I
> > click on a link taking me to any of these pages the adapter redirects me
> > to the auth-server. In this case it works, as if I try to visit a private
> > url I should be presented with a login form if I'm not already logged in.
> > So there's no problem that the adapter automatically redirects me to the
> > auth-server.
> >
> > Now, imagine that this is an real application. Where the front-page would,
> > if the user is not logged in, show "Login" and "Register" links, and would
> > not show links to pages that an anonymous user is not allowed to access
> > (for example 'Customer Listing'). If a user is logged in the application
> > would not show 'Login' and 'Register' but instead show 'Hello User,
> > welcome back' and would include links to pages that particular user is
> > allowed to access (for example if the current user had the role user, but
> > not admin, only the 'Customer Listing', not the 'Customer Admin Interface'
> > link, would be displayed).
> >
> > How would I be able to implement that behaviour with the current way
> > Keycloak works?
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Wednesday, 23 October, 2013 8:18:32 PM
> >> Subject: Re: [keycloak-dev] Automatically login user to application when
> >> logged into realm
> >>
> >> Did you even read my response?  I completely mapped out the entire flow
> >> of how it works *now* in our demo and how it could work with a pure
> >> HTML5 app.  Go play with the demo to understand things better maybe?
> >>
> >> You talkd about this before:
> >>   > A company has an internal Keycloak server, they have a single realm
> >> with multiple internal applications. All applications are hosted on
> >> different servers. Let's imagine this company is called Red Hat. The
> >> user, let's call him Stian, first goes to the OrangeHRM to book some
> >> long overdue holiday. He's not currently logged in to the realm so is is
> >> shown an anonymous access screen instead with a login link. Stian
> >> presses login, fills in username and password and successfully logs in
> >> to the realm. Now Stian wants to go to docspace, again Stian has to
> >> press the Login link, but doesn't have to provide a username or
> >> password, but instead is simply redirected back to the application as a
> >> logged in user. Stian is actually a bit confused about this as he just
> >> logged in to an application without providing a username or password.
> >>
> >>
> >>
> >> What you describe is not how our demo works nor will it ever work that
> >> way.  You log in once to the auth server, any app you visit knows who
> >> you are.  There's no need to click a "login" button when you visit a new
> >> site.  HTML5 app would work exactly the same way as any of the WARs in
> >> the Keycloak demo code except all the redirect and cookie processing
> >> would happen within Javascript within the browser. There's just no need
> >> for your extra "no-forms" invocation!  The login check is already built
> >> into the protocol.
> >>
> >> http://www.tizag.com/javascriptT/javascriptredirect.php
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list