[keycloak-dev] Login with Access Token

Tue Dec 16 06:42:26 EST 2014

Is there a JIRA issue for that feature? I would like to help with this 
regard since I really would like to see support for that in an upcoming 
release.

Mit freundlichen Grüßen,
------------------------------------------------------------------------
*Christian Beikov*
Am 03.12.2014 um 12:31 schrieb Stian Thorgersen:
> Just thought of a reason why it won't work. The link to login with Facebook is to the Keycloak server, which then sets the required state before redirecting to Facebook.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Christian Beikov" <christian.beikov at gmail.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 3 December, 2014 12:30:03 PM
>> Subject: Re: [keycloak-dev] Login with Access Token
>>
>> The callback to Keycloak expects a code, not a token, so I don't think it
>> would work unless you modify Keycloak's Facebook provider. I can't think of
>> any other reasons why it wouldn't work.
>>
>> ----- Original Message -----
>>> From: "Christian Beikov" <christian.beikov at gmail.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Wednesday, 3 December, 2014 11:04:05 AM
>>> Subject: Re: [keycloak-dev] Login with Access Token
>>>
>>> I was thinking of something like the following as a workaround
>>>
>>> 1. Create a hidden iframe in a webview that navigates to the login page of
>>> the keycloak server.
>>> 2. Extract the state from the link of the Facebook login
>>> 3. Start the login with the native SDK
>>> 4. On success navigate in the iframe to the social callback
>>> 5. Use some keycloak token to act as the logged in user
>>>
>>> Regarding 4. I am not sure what URL I should invoke exactly. I guess I have
>>> to append the state parameter to it, but I couldn't find out exactly and I
>>> haven't debugged that far yet.
>>> Regarding 5. I don't know how to retrieve that keycloak token from the
>>> iframe, but I hope there is a way.
>>>
>>> For this to work I will probably have to add some CORS http headers that
>>> will allow localhost so that the app can access the iframe. Although this
>>> makes it vulnerable, since every localhost app could then "steal" the
>>> keycloak token, it would do the job for now.
>>>
>>> What do you think? Could that work?
>>>
>>> 2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
>>>
>>>> Keycloak generates a special state parameter. It consists of two parts, a
>>>> signature and an id. The id is used to lookup a session in Keycloak,
>>>> while
>>>> the signature is then used to verify that specific request is valid (a
>>>> session can only be used for one thing at a time, for example a social
>>>> login). By design there's no way you can generate this yourself unless
>>>> you
>>>> have access to the Keycloak database.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Christian Beikov" <christian.beikov at gmail.com>
>>>>> To: "Stian Thorgersen" <stian at redhat.com>, keycloak-dev at lists.jboss.org
>>>>> Sent: Wednesday, 3 December, 2014 9:33:20 AM
>>>>> Subject: Re: [keycloak-dev] Login with Access Token
>>>>>
>>>>> I am wondering how you do that. I know that there is a state parameter
>>>> that
>>>>> is added to the facebook login url, but I could just make an initial
>>>>> request to keycloak to copy that, or did I understand something wrong?
>>>>>
>>>>> 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
>>>>>
>>>>>> It's code that is currently changing as we're working on adding
>>>> enterprise
>>>>>> IdP's as well as social IdP's we have at the moment.
>>>>>>
>>>>>> I think the correct approach would be to use the direct grant api,
>>>> which
>>>>>> currently lets you exchange a username + password for a Keycloak
>>>> token, we
>>>>>> could add an option here to pass in a token from an external IdP to
>>>>>> exchange for a internal Keycloak token. If you're interested in
>>>> looking at
>>>>>> the code look at OpenIDConnectService.grantAccessToken.
>>>>>>
>>>>>> There's no work-around that you can do due to security restrictions
>>>>>> in
>>>>>> Keycloak. Keycloak makes sure that the callback can only be called if
>>>> it
>>>>>> indeed made the original request.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Christian Beikov" <christian.beikov at gmail.com>
>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>> Sent: Wednesday, 3 December, 2014 9:11:55 AM
>>>>>>> Subject: Re: [keycloak-dev] Login with Access Token
>>>>>>>
>>>>>>> Thanks for the quick answer. Could you maybe give me a hint on how
>>>>>>> I
>>>>>> could
>>>>>>> implement that in a quick-and-dirty way? Could I maybe do some
>>>>>>> iframe
>>>>>> magic
>>>>>>> in a hidden webview to do the login? I am not quite sure how the
>>>> social
>>>>>>> login works exactly. Facebook will redirect me back to the social
>>>>>> callback
>>>>>>> address after a login, but how does keycloak actually retrieve that
>>>>>> access
>>>>>>> token? If I knew that, I could maybe create a workaround for now
>>>>>>> and
>>>>>> maybe
>>>>>>> also contribute something? :)
>>>>>>>
>>>>>>> 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
>>>>>>>
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Christian Beikov" <christian.beikov at gmail.com>
>>>>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>>>>> Sent: Tuesday, 2 December, 2014 6:58:42 PM
>>>>>>>>> Subject: [keycloak-dev] Login with Access Token
>>>>>>>>>
>>>>>>>>> Hello!
>>>>>>>>>
>>>>>>>>> I am new to OAuth so sorry if my question is dumb.
>>>>>>>>> I have an App which wants to provide a custom and Facebook
>>>>>>>>> login.
>>>>>> Since
>>>>>>>> many
>>>>>>>>> people already have the Facebook App installed, I thought it
>>>> might be
>>>>>>>> better
>>>>>>>>> to give them the native experience and use the Facebook SDK to
>>>>>> implement
>>>>>>>> the
>>>>>>>>> login.
>>>>>>>>> The problem now is, that I have the Access Token from the
>>>> successful
>>>>>>>> Facebook
>>>>>>>>> login, but don't know how to properly login at the Keycloak
>>>> server
>>>>>> with
>>>>>>>>> that.
>>>>>>>>>
>>>>>>>>> Any ideas on how to do that? Or is that even stupid and is
>>>>>>>>> there
>>>> a
>>>>>> better
>>>>>>>>> way?
>>>>>>>> Not at all a dumb question and we actually had someone else ask
>>>>>>>> the
>>>>>> same
>>>>>>>> last week.
>>>>>>>>
>>>>>>>> Currently, Keycloak does not support this flow, but it something
>>>> we may
>>>>>>>> consider adding.
>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Mit freundlichen Grüßen,
>>>>>>>>>
>>>>>>>>> Christian Beikov
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-dev mailing list
>>>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Mit freundlichen Grüßen,
>>>>>>>
>>>>>>>
>>>>>>> *Christian Beikov*Blazebit Design & Developing
>>>>>>> http://www.blazebit.com
>>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Mit freundlichen Grüßen,
>>>>>
>>>>>
>>>>> *Christian Beikov*Blazebit Design & Developing
>>>>> http://www.blazebit.com
>>>>>
>>>
>>>
>>> --
>>>
>>> Mit freundlichen Grüßen,
>>>
>>>
>>> *Christian Beikov*Blazebit Design & Developing
>>> http://www.blazebit.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20141216/c8ba2bc0/attachment-0001.html 