[keycloak-dev] Automatically login user to application when logged into realm

Stian Thorgersen stian at redhat.com
Thu Oct 24 11:16:44 EDT 2013 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 24 October, 2013 2:52:59 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
> 
> Yeah, I saw amazon example.  I think your amazon example is different
> because they don't have to worry about single sign on.

Amazon has SSO with LoveFilm! Are you really still claiming that the use-case I have where an application wants to do single-sign-on and have pages that adapt to whether or not a user is logged in (instead of simply showing a login form) is not something people are going to want to do? That's certainly how I would like my web apps to work if I was writing them.

> 
> The current keycloak application adapter build on top of servlet
> security and only requires a valve and the keycloak configuration file
> and it just works.  The style you are talking about would have to bypass
> servlet security entirely and require custom application code to work.
> This is why I don't think it should be promoted as a preferred solution.

No it doesn't. The front-page for an application could have the following JSP code:

<%
if(request.getUserPrincipal() != null) {
%>
  <h2>Hello <%=request.getUserPrincipal%></h2>
<% } else { <%
  <h2>Click here to <a href="...">login</a></h2>
%>

<ul class="menu">
<li><a href="public/index.html">Some public page</a></li>
<%
if(request.getUserPrincipal() != null) {
  <li><a href="private/index.html">Some restricted page</a></li>
} 
%>

When opening the front-page the prompt=none would be used to login a user if the user is already logged in to the realm. If the user visits 'private/index.html' first, then it should result in the login form if the user is not already logged in, so in this case prompt=none wouldn't be used.

> 
> The preferred solution should be a server-side driven authentication
> with private client credentials for both javascript and old-school apps.
>   For Servlet environments, the constraints of servlet security should
> be used to keep setup simple.
> 
> 
> On 10/24/2013 9:00 AM, Stian Thorgersen wrote:
> > Yes it goes through accounts.google.com. Google often have different
> > regional behaviour though.
> >
> > Did you see the amazon example I wrote before? Did the same mistake of
> > replying twice again :/
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 24 October, 2013 1:56:29 PM
> >> Subject: Re: [keycloak-dev] Automatically login user to application when
> >> logged into realm
> >>
> >> Weird.  Firefox 24 and IE 10 on Windows for me works the way I
> >> described.  What do the logged HTTP requests look like?  Does it go
> >> through accounts.google.com?
> >>
> >> On 10/24/2013 8:37 AM, Stian Thorgersen wrote:
> >>> By the way that's not how gmail.com works for me. I just tried to open
> >>> gmail.com in an incognito window and was redirected to
> >>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login
> >>> form.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-dev at lists.jboss.org
> >>>> Sent: Thursday, 24 October, 2013 1:13:40 PM
> >>>> Subject: Re: [keycloak-dev] Automatically login user to application when
> >>>> logged into realm
> >>>>
> >>>> Not to drag this on, but take a look at how google does it.
> >>>>
> >>>> If you are not logged in, and you go to gmail.com, you are redirected
> >>>> immediately to accounts.google.com and you must log in there.  After you
> >>>> login you are redirected back to gmail.com.
> >>>>
> >>>> If you leave gmail.com and visit another website, then come back to
> >>>> gmail.com, it does an immediate redirect to accounts.google.com which
> >>>> then immediately redirects you back to gmail.
> >>>>
> >>>> So, I feel better.  I'm not so old school... :). Google works pretty
> >>>> much the same way the keycloak demo works.  There is one difference
> >>>> though that I i'm not sure if we should follow:  I'm guessing that to
> >>>> implement single sign off, Google will always redirect to
> >>>> accounts.google.com to check to see if you're logged in when you visit a
> >>>> google page.
> >>>>
> >>>>
> >>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
> >>>>> No worries, it's one of those things that happens with trying to
> >>>>> explain
> >>>>> something over email/IRC.
> >>>>>
> >>>>> I think it should be an optional feature support by all adapters. For
> >>>>> the
> >>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json'
> >>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request
> >>>>> is
> >>>>> to an unsecured resource it would redirect to 'auth/login?prompt=none'.
> >>>>> I'm happy to add a proposal to the AS7 adapter if you'd like.
> >>>>>
> >>>>
> >>>> I don't think this approach can work very well in old-school web apps,
> >>>> if at all.  For pure Servlet apps you're either accessing a secure area
> >>>> or you're not.  A URL can't be both secure and unsecure at the same
> >>>> time.  Plus, if you have any kind of latency, a full browser redirect
> >>>> just to check if you're logged in with the auth-server is going to be
> >>>> pretty ugly.
> >>>>
> >>>> The application adapter *DOES* still need an amILoggedIn REST call.  By
> >>>> default it should just return:
> >>>>
> >>>> {
> >>>>       "loggedIn" : true,
> >>>>       "user" : "wburke"
> >>>> }
> >>>>
> >>>> If you set a flag in resteasy-oauth.json, it will also contain the
> >>>> access token
> >>>>
> >>>> {
> >>>>       loggedIn : true,
> >>>>       "user" : "wburke",
> >>>>       "token" : "asdfasdfasdfqwerqwer"
> >>>> }
> >>>>
> >>>> amILoggedIn would be authenticated by a http-only cookie.
> >>>>
> >>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM
> >>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
> >>>>>> when
> >>>>>> logged into realm
> >>>>>>
> >>>>>> I guess I see what you mean.  You want to be able to show a
> >>>>>> login/register links on the *application's* page and not just redirect
> >>>>>> immediately to the keycloak screens when you first visit the page.  I
> >>>>>> guess I'm thinking too old school Java EE app that would automatically
> >>>>>> bring you to the login screen if you access secured content.  I feel
> >>>>>> like a dinosaur sometimes.  Too bad I still have 20 year until I
> >>>>>> retire.
> >>>>>>
> >>>>>> Apologies for wasting your time.
> >>>>>>
> >>>>>> Gonna have to figure out how to support this scenario for a
> >>>>>> traditional
> >>>>>> web app too.
> >>>>>>
> >>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
> >>>>>>> Yes I read your response and yes I have played with your demo.
> >>>>>>>
> >>>>>>> Let's then revisit this with the demo in mind, and you can tell me
> >>>>>>> where
> >>>>>>> I'm mistaken.
> >>>>>>>
> >>>>>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*'
> >>>>>>> require the admin role and '/customers/*' requires the user role. If
> >>>>>>> I
> >>>>>>> click on a link taking me to any of these pages the adapter redirects
> >>>>>>> me
> >>>>>>> to the auth-server. In this case it works, as if I try to visit a
> >>>>>>> private
> >>>>>>> url I should be presented with a login form if I'm not already logged
> >>>>>>> in.
> >>>>>>> So there's no problem that the adapter automatically redirects me to
> >>>>>>> the
> >>>>>>> auth-server.
> >>>>>>>
> >>>>>>> Now, imagine that this is an real application. Where the front-page
> >>>>>>> would,
> >>>>>>> if the user is not logged in, show "Login" and "Register" links, and
> >>>>>>> would
> >>>>>>> not show links to pages that an anonymous user is not allowed to
> >>>>>>> access
> >>>>>>> (for example 'Customer Listing'). If a user is logged in the
> >>>>>>> application
> >>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User,
> >>>>>>> welcome back' and would include links to pages that particular user
> >>>>>>> is
> >>>>>>> allowed to access (for example if the current user had the role user,
> >>>>>>> but
> >>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin
> >>>>>>> Interface'
> >>>>>>> link, would be displayed).
> >>>>>>>
> >>>>>>> How would I be able to implement that behaviour with the current way
> >>>>>>> Keycloak works?
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
> >>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
> >>>>>>>> when
> >>>>>>>> logged into realm
> >>>>>>>>
> >>>>>>>> Did you even read my response?  I completely mapped out the entire
> >>>>>>>> flow
> >>>>>>>> of how it works *now* in our demo and how it could work with a pure
> >>>>>>>> HTML5 app.  Go play with the demo to understand things better maybe?
> >>>>>>>>
> >>>>>>>> You talkd about this before:
> >>>>>>>>      > A company has an internal Keycloak server, they have a single
> >>>>>>>>      > realm
> >>>>>>>> with multiple internal applications. All applications are hosted on
> >>>>>>>> different servers. Let's imagine this company is called Red Hat. The
> >>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book some
> >>>>>>>> long overdue holiday. He's not currently logged in to the realm so
> >>>>>>>> is
> >>>>>>>> is
> >>>>>>>> shown an anonymous access screen instead with a login link. Stian
> >>>>>>>> presses login, fills in username and password and successfully logs
> >>>>>>>> in
> >>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has to
> >>>>>>>> press the Login link, but doesn't have to provide a username or
> >>>>>>>> password, but instead is simply redirected back to the application
> >>>>>>>> as
> >>>>>>>> a
> >>>>>>>> logged in user. Stian is actually a bit confused about this as he
> >>>>>>>> just
> >>>>>>>> logged in to an application without providing a username or
> >>>>>>>> password.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> What you describe is not how our demo works nor will it ever work
> >>>>>>>> that
> >>>>>>>> way.  You log in once to the auth server, any app you visit knows
> >>>>>>>> who
> >>>>>>>> you are.  There's no need to click a "login" button when you visit a
> >>>>>>>> new
> >>>>>>>> site.  HTML5 app would work exactly the same way as any of the WARs
> >>>>>>>> in
> >>>>>>>> the Keycloak demo code except all the redirect and cookie processing
> >>>>>>>> would happen within Javascript within the browser. There's just no
> >>>>>>>> need
> >>>>>>>> for your extra "no-forms" invocation!  The login check is already
> >>>>>>>> built
> >>>>>>>> into the protocol.
> >>>>>>>>
> >>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Bill Burke
> >>>>>>>> JBoss, a division of Red Hat
> >>>>>>>> http://bill.burkecentral.com
> >>>>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Bill Burke
> >>>>>> JBoss, a division of Red Hat
> >>>>>> http://bill.burkecentral.com
> >>>>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list