[keycloak-dev] Automatically login user to application when logged into realm

Anil Saldhana Anil.Saldhana at redhat.com
Fri Oct 25 10:31:51 EDT 2013 

OpenID Connect uses OAuth2 as its foundation. It is not like the old 
OpenID specification.

On 10/25/2013 08:39 AM, Bill Burke wrote:
> FWIW, Amazon does not have SSO.  It has shared credentials, but not SSO.
>    Tried it out on audible.com and amazon.  Lovefilm doesn't even
> recognize my amazon account.
>
> Also GMAIL redirects automatically to an unprotected login page.  My
> bank, brokerage, redirects automatically to an unprotected login or
> front page where I can log in.  So, I know you think its absurd, but
> pretty much any site where security is even remotely important, an
> automatic redirect happens to an unprotected page.   A better example
> would have been a news article or forum where you can read articles and
> comments but can't post comments until you log in.
>
> So in summary:
> * I'm not against no-forms call.  I even said so, 2-3 emails ago.
> * After reviewing the jboss web adapter, a "login-check" could be done
> by the adapter.  You just won't be able to have a page that can be both
> protected or unprotected.
> * I'm wary of the keycloak.js approach as it requires public application
> credentials which opens up keycloak for additional attacks.  Read the
> OAuth spec for more details.  I'm not sure how realistic some of the
> attacks are, but they do exist.
>
> I"ll have to review, but I'm not sure OpenID fits with the goals of
> Keycloak.  OAuth is about granting access while OpenID is about
> establishing the identity of the user.
>
> On 10/25/2013 4:52 AM, Stian Thorgersen wrote:
>> OpenID connect has this option. This is a spec we should look at and seriously consider adding support for.
>>
>> ----- Original Message -----
>>> From: "Stian Thorgersen" <stian at redhat.com>
>>> To: "Bill Burke" <bburke at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Thursday, 24 October, 2013 4:16:44 PM
>>> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
>>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, 24 October, 2013 2:52:59 PM
>>>> Subject: Re: [keycloak-dev] Automatically login user to application when
>>>> logged into realm
>>>>
>>>> Yeah, I saw amazon example.  I think your amazon example is different
>>>> because they don't have to worry about single sign on.
>>> Amazon has SSO with LoveFilm! Are you really still claiming that the use-case
>>> I have where an application wants to do single-sign-on and have pages that
>>> adapt to whether or not a user is logged in (instead of simply showing a
>>> login form) is not something people are going to want to do? That's
>>> certainly how I would like my web apps to work if I was writing them.
>>>
>>>> The current keycloak application adapter build on top of servlet
>>>> security and only requires a valve and the keycloak configuration file
>>>> and it just works.  The style you are talking about would have to bypass
>>>> servlet security entirely and require custom application code to work.
>>>> This is why I don't think it should be promoted as a preferred solution.
>>> No it doesn't. The front-page for an application could have the following JSP
>>> code:
>>>
>>> <%
>>> if(request.getUserPrincipal() != null) {
>>> %>
>>>     <h2>Hello <%=request.getUserPrincipal%></h2>
>>> <% } else { <%
>>>     <h2>Click here to <a href="...">login</a></h2>
>>> %>
>>>
>>> <ul class="menu">
>>> <li><a href="public/index.html">Some public page</a></li>
>>> <%
>>> if(request.getUserPrincipal() != null) {
>>>     <li><a href="private/index.html">Some restricted page</a></li>
>>> }
>>> %>
>>>
>>> When opening the front-page the prompt=none would be used to login a user if
>>> the user is already logged in to the realm. If the user visits
>>> 'private/index.html' first, then it should result in the login form if the
>>> user is not already logged in, so in this case prompt=none wouldn't be used.
>>>
>>>> The preferred solution should be a server-side driven authentication
>>>> with private client credentials for both javascript and old-school apps.
>>>>     For Servlet environments, the constraints of servlet security should
>>>> be used to keep setup simple.
>>>>
>>>>
>>>> On 10/24/2013 9:00 AM, Stian Thorgersen wrote:
>>>>> Yes it goes through accounts.google.com. Google often have different
>>>>> regional behaviour though.
>>>>>
>>>>> Did you see the amazon example I wrote before? Did the same mistake of
>>>>> replying twice again :/
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>> Sent: Thursday, 24 October, 2013 1:56:29 PM
>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application when
>>>>>> logged into realm
>>>>>>
>>>>>> Weird.  Firefox 24 and IE 10 on Windows for me works the way I
>>>>>> described.  What do the logged HTTP requests look like?  Does it go
>>>>>> through accounts.google.com?
>>>>>>
>>>>>> On 10/24/2013 8:37 AM, Stian Thorgersen wrote:
>>>>>>> By the way that's not how gmail.com works for me. I just tried to open
>>>>>>> gmail.com in an incognito window and was redirected to
>>>>>>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login
>>>>>>> form.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>>> Sent: Thursday, 24 October, 2013 1:13:40 PM
>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
>>>>>>>> when
>>>>>>>> logged into realm
>>>>>>>>
>>>>>>>> Not to drag this on, but take a look at how google does it.
>>>>>>>>
>>>>>>>> If you are not logged in, and you go to gmail.com, you are redirected
>>>>>>>> immediately to accounts.google.com and you must log in there.  After
>>>>>>>> you
>>>>>>>> login you are redirected back to gmail.com.
>>>>>>>>
>>>>>>>> If you leave gmail.com and visit another website, then come back to
>>>>>>>> gmail.com, it does an immediate redirect to accounts.google.com which
>>>>>>>> then immediately redirects you back to gmail.
>>>>>>>>
>>>>>>>> So, I feel better.  I'm not so old school... :). Google works pretty
>>>>>>>> much the same way the keycloak demo works.  There is one difference
>>>>>>>> though that I i'm not sure if we should follow:  I'm guessing that to
>>>>>>>> implement single sign off, Google will always redirect to
>>>>>>>> accounts.google.com to check to see if you're logged in when you visit
>>>>>>>> a
>>>>>>>> google page.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
>>>>>>>>> No worries, it's one of those things that happens with trying to
>>>>>>>>> explain
>>>>>>>>> something over email/IRC.
>>>>>>>>>
>>>>>>>>> I think it should be an optional feature support by all adapters. For
>>>>>>>>> the
>>>>>>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json'
>>>>>>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request
>>>>>>>>> is
>>>>>>>>> to an unsecured resource it would redirect to
>>>>>>>>> 'auth/login?prompt=none'.
>>>>>>>>> I'm happy to add a proposal to the AS7 adapter if you'd like.
>>>>>>>>>
>>>>>>>> I don't think this approach can work very well in old-school web apps,
>>>>>>>> if at all.  For pure Servlet apps you're either accessing a secure
>>>>>>>> area
>>>>>>>> or you're not.  A URL can't be both secure and unsecure at the same
>>>>>>>> time.  Plus, if you have any kind of latency, a full browser redirect
>>>>>>>> just to check if you're logged in with the auth-server is going to be
>>>>>>>> pretty ugly.
>>>>>>>>
>>>>>>>> The application adapter *DOES* still need an amILoggedIn REST call.
>>>>>>>> By
>>>>>>>> default it should just return:
>>>>>>>>
>>>>>>>> {
>>>>>>>>         "loggedIn" : true,
>>>>>>>>         "user" : "wburke"
>>>>>>>> }
>>>>>>>>
>>>>>>>> If you set a flag in resteasy-oauth.json, it will also contain the
>>>>>>>> access token
>>>>>>>>
>>>>>>>> {
>>>>>>>>         loggedIn : true,
>>>>>>>>         "user" : "wburke",
>>>>>>>>         "token" : "asdfasdfasdfqwerqwer"
>>>>>>>> }
>>>>>>>>
>>>>>>>> amILoggedIn would be authenticated by a http-only cookie.
>>>>>>>>
>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM
>>>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
>>>>>>>>>> when
>>>>>>>>>> logged into realm
>>>>>>>>>>
>>>>>>>>>> I guess I see what you mean.  You want to be able to show a
>>>>>>>>>> login/register links on the *application's* page and not just
>>>>>>>>>> redirect
>>>>>>>>>> immediately to the keycloak screens when you first visit the page.
>>>>>>>>>> I
>>>>>>>>>> guess I'm thinking too old school Java EE app that would
>>>>>>>>>> automatically
>>>>>>>>>> bring you to the login screen if you access secured content.  I feel
>>>>>>>>>> like a dinosaur sometimes.  Too bad I still have 20 year until I
>>>>>>>>>> retire.
>>>>>>>>>>
>>>>>>>>>> Apologies for wasting your time.
>>>>>>>>>>
>>>>>>>>>> Gonna have to figure out how to support this scenario for a
>>>>>>>>>> traditional
>>>>>>>>>> web app too.
>>>>>>>>>>
>>>>>>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
>>>>>>>>>>> Yes I read your response and yes I have played with your demo.
>>>>>>>>>>>
>>>>>>>>>>> Let's then revisit this with the demo in mind, and you can tell me
>>>>>>>>>>> where
>>>>>>>>>>> I'm mistaken.
>>>>>>>>>>>
>>>>>>>>>>> I visit http://localhost:8080/customer-portal/. The urls
>>>>>>>>>>> '/admins/*'
>>>>>>>>>>> require the admin role and '/customers/*' requires the user role.
>>>>>>>>>>> If
>>>>>>>>>>> I
>>>>>>>>>>> click on a link taking me to any of these pages the adapter
>>>>>>>>>>> redirects
>>>>>>>>>>> me
>>>>>>>>>>> to the auth-server. In this case it works, as if I try to visit a
>>>>>>>>>>> private
>>>>>>>>>>> url I should be presented with a login form if I'm not already
>>>>>>>>>>> logged
>>>>>>>>>>> in.
>>>>>>>>>>> So there's no problem that the adapter automatically redirects me
>>>>>>>>>>> to
>>>>>>>>>>> the
>>>>>>>>>>> auth-server.
>>>>>>>>>>>
>>>>>>>>>>> Now, imagine that this is an real application. Where the front-page
>>>>>>>>>>> would,
>>>>>>>>>>> if the user is not logged in, show "Login" and "Register" links,
>>>>>>>>>>> and
>>>>>>>>>>> would
>>>>>>>>>>> not show links to pages that an anonymous user is not allowed to
>>>>>>>>>>> access
>>>>>>>>>>> (for example 'Customer Listing'). If a user is logged in the
>>>>>>>>>>> application
>>>>>>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User,
>>>>>>>>>>> welcome back' and would include links to pages that particular user
>>>>>>>>>>> is
>>>>>>>>>>> allowed to access (for example if the current user had the role
>>>>>>>>>>> user,
>>>>>>>>>>> but
>>>>>>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin
>>>>>>>>>>> Interface'
>>>>>>>>>>> link, would be displayed).
>>>>>>>>>>>
>>>>>>>>>>> How would I be able to implement that behaviour with the current
>>>>>>>>>>> way
>>>>>>>>>>> Keycloak works?
>>>>>>>>>>>
>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
>>>>>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to
>>>>>>>>>>>> application
>>>>>>>>>>>> when
>>>>>>>>>>>> logged into realm
>>>>>>>>>>>>
>>>>>>>>>>>> Did you even read my response?  I completely mapped out the entire
>>>>>>>>>>>> flow
>>>>>>>>>>>> of how it works *now* in our demo and how it could work with a
>>>>>>>>>>>> pure
>>>>>>>>>>>> HTML5 app.  Go play with the demo to understand things better
>>>>>>>>>>>> maybe?
>>>>>>>>>>>>
>>>>>>>>>>>> You talkd about this before:
>>>>>>>>>>>>        > A company has an internal Keycloak server, they have a
>>>>>>>>>>>>        > single
>>>>>>>>>>>>        > realm
>>>>>>>>>>>> with multiple internal applications. All applications are hosted
>>>>>>>>>>>> on
>>>>>>>>>>>> different servers. Let's imagine this company is called Red Hat.
>>>>>>>>>>>> The
>>>>>>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book
>>>>>>>>>>>> some
>>>>>>>>>>>> long overdue holiday. He's not currently logged in to the realm so
>>>>>>>>>>>> is
>>>>>>>>>>>> is
>>>>>>>>>>>> shown an anonymous access screen instead with a login link. Stian
>>>>>>>>>>>> presses login, fills in username and password and successfully
>>>>>>>>>>>> logs
>>>>>>>>>>>> in
>>>>>>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has
>>>>>>>>>>>> to
>>>>>>>>>>>> press the Login link, but doesn't have to provide a username or
>>>>>>>>>>>> password, but instead is simply redirected back to the application
>>>>>>>>>>>> as
>>>>>>>>>>>> a
>>>>>>>>>>>> logged in user. Stian is actually a bit confused about this as he
>>>>>>>>>>>> just
>>>>>>>>>>>> logged in to an application without providing a username or
>>>>>>>>>>>> password.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> What you describe is not how our demo works nor will it ever work
>>>>>>>>>>>> that
>>>>>>>>>>>> way.  You log in once to the auth server, any app you visit knows
>>>>>>>>>>>> who
>>>>>>>>>>>> you are.  There's no need to click a "login" button when you visit
>>>>>>>>>>>> a
>>>>>>>>>>>> new
>>>>>>>>>>>> site.  HTML5 app would work exactly the same way as any of the
>>>>>>>>>>>> WARs
>>>>>>>>>>>> in
>>>>>>>>>>>> the Keycloak demo code except all the redirect and cookie
>>>>>>>>>>>> processing
>>>>>>>>>>>> would happen within Javascript within the browser. There's just no
>>>>>>>>>>>> need
>>>>>>>>>>>> for your extra "no-forms" invocation!  The login check is already
>>>>>>>>>>>> built
>>>>>>>>>>>> into the protocol.
>>>>>>>>>>>>
>>>>>>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>> http://bill.burkecentral.com
>>>>>>>>>>>>
>>>>>>>>>>>>

More information about the keycloak-dev mailing list