[keycloak-dev] Login with Access Token

Wed Dec 3 06:33:55 EST 2014

Correct me if I am wrong, but the last time I looked at the Facebook button
that appears on the login page, it was just a simple link to facebook with
some parameters like the state.

2014-12-03 12:31 GMT+01:00 Stian Thorgersen <stian at redhat.com>:

> Just thought of a reason why it won't work. The link to login with
> Facebook is to the Keycloak server, which then sets the required state
> before redirecting to Facebook.
>
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian at redhat.com>
> > To: "Christian Beikov" <christian.beikov at gmail.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 3 December, 2014 12:30:03 PM
> > Subject: Re: [keycloak-dev] Login with Access Token
> >
> > The callback to Keycloak expects a code, not a token, so I don't think it
> > would work unless you modify Keycloak's Facebook provider. I can't think
> of
> > any other reasons why it wouldn't work.
> >
> > ----- Original Message -----
> > > From: "Christian Beikov" <christian.beikov at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Cc: keycloak-dev at lists.jboss.org
> > > Sent: Wednesday, 3 December, 2014 11:04:05 AM
> > > Subject: Re: [keycloak-dev] Login with Access Token
> > >
> > > I was thinking of something like the following as a workaround
> > >
> > > 1. Create a hidden iframe in a webview that navigates to the login
> page of
> > > the keycloak server.
> > > 2. Extract the state from the link of the Facebook login
> > > 3. Start the login with the native SDK
> > > 4. On success navigate in the iframe to the social callback
> > > 5. Use some keycloak token to act as the logged in user
> > >
> > > Regarding 4. I am not sure what URL I should invoke exactly. I guess I
> have
> > > to append the state parameter to it, but I couldn't find out exactly
> and I
> > > haven't debugged that far yet.
> > > Regarding 5. I don't know how to retrieve that keycloak token from the
> > > iframe, but I hope there is a way.
> > >
> > > For this to work I will probably have to add some CORS http headers
> that
> > > will allow localhost so that the app can access the iframe. Although
> this
> > > makes it vulnerable, since every localhost app could then "steal" the
> > > keycloak token, it would do the job for now.
> > >
> > > What do you think? Could that work?
> > >
> > > 2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> > >
> > > > Keycloak generates a special state parameter. It consists of two
> parts, a
> > > > signature and an id. The id is used to lookup a session in Keycloak,
> > > > while
> > > > the signature is then used to verify that specific request is valid
> (a
> > > > session can only be used for one thing at a time, for example a
> social
> > > > login). By design there's no way you can generate this yourself
> unless
> > > > you
> > > > have access to the Keycloak database.
> > > >
> > > > ----- Original Message -----
> > > > > From: "Christian Beikov" <christian.beikov at gmail.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>,
> keycloak-dev at lists.jboss.org
> > > > > Sent: Wednesday, 3 December, 2014 9:33:20 AM
> > > > > Subject: Re: [keycloak-dev] Login with Access Token
> > > > >
> > > > > I am wondering how you do that. I know that there is a state
> parameter
> > > > that
> > > > > is added to the facebook login url, but I could just make an
> initial
> > > > > request to keycloak to copy that, or did I understand something
> wrong?
> > > > >
> > > > > 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> > > > >
> > > > > > It's code that is currently changing as we're working on adding
> > > > enterprise
> > > > > > IdP's as well as social IdP's we have at the moment.
> > > > > >
> > > > > > I think the correct approach would be to use the direct grant
> api,
> > > > which
> > > > > > currently lets you exchange a username + password for a Keycloak
> > > > token, we
> > > > > > could add an option here to pass in a token from an external IdP
> to
> > > > > > exchange for a internal Keycloak token. If you're interested in
> > > > looking at
> > > > > > the code look at OpenIDConnectService.grantAccessToken.
> > > > > >
> > > > > > There's no work-around that you can do due to security
> restrictions
> > > > > > in
> > > > > > Keycloak. Keycloak makes sure that the callback can only be
> called if
> > > > it
> > > > > > indeed made the original request.
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Christian Beikov" <christian.beikov at gmail.com>
> > > > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > Sent: Wednesday, 3 December, 2014 9:11:55 AM
> > > > > > > Subject: Re: [keycloak-dev] Login with Access Token
> > > > > > >
> > > > > > > Thanks for the quick answer. Could you maybe give me a hint on
> how
> > > > > > > I
> > > > > > could
> > > > > > > implement that in a quick-and-dirty way? Could I maybe do some
> > > > > > > iframe
> > > > > > magic
> > > > > > > in a hidden webview to do the login? I am not quite sure how
> the
> > > > social
> > > > > > > login works exactly. Facebook will redirect me back to the
> social
> > > > > > callback
> > > > > > > address after a login, but how does keycloak actually retrieve
> that
> > > > > > access
> > > > > > > token? If I knew that, I could maybe create a workaround for
> now
> > > > > > > and
> > > > > > maybe
> > > > > > > also contribute something? :)
> > > > > > >
> > > > > > > 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Christian Beikov" <christian.beikov at gmail.com>
> > > > > > > > > To: keycloak-dev at lists.jboss.org
> > > > > > > > > Sent: Tuesday, 2 December, 2014 6:58:42 PM
> > > > > > > > > Subject: [keycloak-dev] Login with Access Token
> > > > > > > > >
> > > > > > > > > Hello!
> > > > > > > > >
> > > > > > > > > I am new to OAuth so sorry if my question is dumb.
> > > > > > > > > I have an App which wants to provide a custom and Facebook
> > > > > > > > > login.
> > > > > > Since
> > > > > > > > many
> > > > > > > > > people already have the Facebook App installed, I thought
> it
> > > > might be
> > > > > > > > better
> > > > > > > > > to give them the native experience and use the Facebook
> SDK to
> > > > > > implement
> > > > > > > > the
> > > > > > > > > login.
> > > > > > > > > The problem now is, that I have the Access Token from the
> > > > successful
> > > > > > > > Facebook
> > > > > > > > > login, but don't know how to properly login at the Keycloak
> > > > server
> > > > > > with
> > > > > > > > > that.
> > > > > > > > >
> > > > > > > > > Any ideas on how to do that? Or is that even stupid and is
> > > > > > > > > there
> > > > a
> > > > > > better
> > > > > > > > > way?
> > > > > > > >
> > > > > > > > Not at all a dumb question and we actually had someone else
> ask
> > > > > > > > the
> > > > > > same
> > > > > > > > last week.
> > > > > > > >
> > > > > > > > Currently, Keycloak does not support this flow, but it
> something
> > > > we may
> > > > > > > > consider adding.
> > > > > > > >
> > > > > > > > > --
> > > > > > > > >
> > > > > > > > > Mit freundlichen Grüßen,
> > > > > > > > >
> > > > > > > > > Christian Beikov
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > keycloak-dev mailing list
> > > > > > > > > keycloak-dev at lists.jboss.org
> > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > > Mit freundlichen Grüßen,
> > > > > > >
> > > > > > >
> > > > > > > *Christian Beikov*Blazebit Design & Developing
> > > > > > > http://www.blazebit.com
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Mit freundlichen Grüßen,
> > > > >
> > > > >
> > > > > *Christian Beikov*Blazebit Design & Developing
> > > > > http://www.blazebit.com
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > Mit freundlichen Grüßen,
> > >
> > >
> > > *Christian Beikov*Blazebit Design & Developing
> > > http://www.blazebit.com
> > >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 

Mit freundlichen Grüßen,

*Christian Beikov*Blazebit Design & Developing
http://www.blazebit.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20141203/f1d86e7b/attachment.html 