[keycloak-dev] Automatically login user to application when logged into realm

Bill Burke bburke at redhat.com
Thu Oct 24 08:56:29 EDT 2013 

Weird.  Firefox 24 and IE 10 on Windows for me works the way I 
described.  What do the logged HTTP requests look like?  Does it go 
through accounts.google.com?

On 10/24/2013 8:37 AM, Stian Thorgersen wrote:
> By the way that's not how gmail.com works for me. I just tried to open gmail.com in an incognito window and was redirected to https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 24 October, 2013 1:13:40 PM
>> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
>>
>> Not to drag this on, but take a look at how google does it.
>>
>> If you are not logged in, and you go to gmail.com, you are redirected
>> immediately to accounts.google.com and you must log in there.  After you
>> login you are redirected back to gmail.com.
>>
>> If you leave gmail.com and visit another website, then come back to
>> gmail.com, it does an immediate redirect to accounts.google.com which
>> then immediately redirects you back to gmail.
>>
>> So, I feel better.  I'm not so old school... :). Google works pretty
>> much the same way the keycloak demo works.  There is one difference
>> though that I i'm not sure if we should follow:  I'm guessing that to
>> implement single sign off, Google will always redirect to
>> accounts.google.com to check to see if you're logged in when you visit a
>> google page.
>>
>>
>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
>>> No worries, it's one of those things that happens with trying to explain
>>> something over email/IRC.
>>>
>>> I think it should be an optional feature support by all adapters. For the
>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json'
>>> ({..., 'auto-login' : true }?). If it's enabled and the first request is
>>> to an unsecured resource it would redirect to 'auth/login?prompt=none'.
>>> I'm happy to add a proposal to the AS7 adapter if you'd like.
>>>
>>
>> I don't think this approach can work very well in old-school web apps,
>> if at all.  For pure Servlet apps you're either accessing a secure area
>> or you're not.  A URL can't be both secure and unsecure at the same
>> time.  Plus, if you have any kind of latency, a full browser redirect
>> just to check if you're logged in with the auth-server is going to be
>> pretty ugly.
>>
>> The application adapter *DOES* still need an amILoggedIn REST call.  By
>> default it should just return:
>>
>> {
>>      "loggedIn" : true,
>>      "user" : "wburke"
>> }
>>
>> If you set a flag in resteasy-oauth.json, it will also contain the
>> access token
>>
>> {
>>      loggedIn : true,
>>      "user" : "wburke",
>>      "token" : "asdfasdfasdfqwerqwer"
>> }
>>
>> amILoggedIn would be authenticated by a http-only cookie.
>>
>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM
>>>> Subject: Re: [keycloak-dev] Automatically login user to application when
>>>> logged into realm
>>>>
>>>> I guess I see what you mean.  You want to be able to show a
>>>> login/register links on the *application's* page and not just redirect
>>>> immediately to the keycloak screens when you first visit the page.  I
>>>> guess I'm thinking too old school Java EE app that would automatically
>>>> bring you to the login screen if you access secured content.  I feel
>>>> like a dinosaur sometimes.  Too bad I still have 20 year until I retire.
>>>>
>>>> Apologies for wasting your time.
>>>>
>>>> Gonna have to figure out how to support this scenario for a traditional
>>>> web app too.
>>>>
>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
>>>>> Yes I read your response and yes I have played with your demo.
>>>>>
>>>>> Let's then revisit this with the demo in mind, and you can tell me where
>>>>> I'm mistaken.
>>>>>
>>>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*'
>>>>> require the admin role and '/customers/*' requires the user role. If I
>>>>> click on a link taking me to any of these pages the adapter redirects me
>>>>> to the auth-server. In this case it works, as if I try to visit a private
>>>>> url I should be presented with a login form if I'm not already logged in.
>>>>> So there's no problem that the adapter automatically redirects me to the
>>>>> auth-server.
>>>>>
>>>>> Now, imagine that this is an real application. Where the front-page
>>>>> would,
>>>>> if the user is not logged in, show "Login" and "Register" links, and
>>>>> would
>>>>> not show links to pages that an anonymous user is not allowed to access
>>>>> (for example 'Customer Listing'). If a user is logged in the application
>>>>> would not show 'Login' and 'Register' but instead show 'Hello User,
>>>>> welcome back' and would include links to pages that particular user is
>>>>> allowed to access (for example if the current user had the role user, but
>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin
>>>>> Interface'
>>>>> link, would be displayed).
>>>>>
>>>>> How would I be able to implement that behaviour with the current way
>>>>> Keycloak works?
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application when
>>>>>> logged into realm
>>>>>>
>>>>>> Did you even read my response?  I completely mapped out the entire flow
>>>>>> of how it works *now* in our demo and how it could work with a pure
>>>>>> HTML5 app.  Go play with the demo to understand things better maybe?
>>>>>>
>>>>>> You talkd about this before:
>>>>>>     > A company has an internal Keycloak server, they have a single realm
>>>>>> with multiple internal applications. All applications are hosted on
>>>>>> different servers. Let's imagine this company is called Red Hat. The
>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book some
>>>>>> long overdue holiday. He's not currently logged in to the realm so is is
>>>>>> shown an anonymous access screen instead with a login link. Stian
>>>>>> presses login, fills in username and password and successfully logs in
>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has to
>>>>>> press the Login link, but doesn't have to provide a username or
>>>>>> password, but instead is simply redirected back to the application as a
>>>>>> logged in user. Stian is actually a bit confused about this as he just
>>>>>> logged in to an application without providing a username or password.
>>>>>>
>>>>>>
>>>>>>
>>>>>> What you describe is not how our demo works nor will it ever work that
>>>>>> way.  You log in once to the auth server, any app you visit knows who
>>>>>> you are.  There's no need to click a "login" button when you visit a new
>>>>>> site.  HTML5 app would work exactly the same way as any of the WARs in
>>>>>> the Keycloak demo code except all the redirect and cookie processing
>>>>>> would happen within Javascript within the browser. There's just no need
>>>>>> for your extra "no-forms" invocation!  The login check is already built
>>>>>> into the protocol.
>>>>>>
>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list