[keycloak-dev] Keycloak login without redirect to external login page

Thu Dec 7 09:12:57 EST 2017

I have been able to sign into KeyCloak without writing a broker service and
using the external/internal key exchange, Google's OpenID endpoints, and
the Google Android SDK.

Basically just follow the docs here :
http://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
to setup the server.

There are a couple caveats I discovered to making it work with Google.
First you have to create a generic OpenID Connect IdP configuration in
Keycloak instead of using the Google one.  With the exception of Google's
Client ID and secret you can prefill all of the values using Google's well
known file (https://accounts.google.com/.well-known/openid-configuration).
Secondly I disabled the userInfo endpoint because Google needs a Auth token
that is not the ID Token they send you which is used in the KeyCloak key
Exchange.

You can checkout my quick and dirty Android code here :
https://github.com/secondsun/TokenExchangeDemo
(Warning, there may be code gore).

I haven't tested it with non Google IdPs, but I would imagine most OpenID
Connect services will work as well.  This isn't quite your use case, but I
hope it gets you closer.

On Fri, Dec 1, 2017 at 2:38 PM, Summers Pittman <supittma at redhat.com> wrote:

>
>
> On Fri, Dec 1, 2017 at 7:19 AM, Wojciech Trocki <wtrocki at redhat.com>
> wrote:
>
>> I'm investigating possible options for creating javascript client that
>> will help mobile developers (cordova, react native) to integrate with
>> keycloak.
>>
>> The main idea will be to mimic other solutions that allow to login to the
>> auth server using single method (instead of redirecting to the login page)
>>
>> For example:
>>
>> *authbase.auth().signInWithEmailAndPassword(email, password).then(...);*
>>
>> JavaScript adapter from keycloak team works fine for both Android and
>> IOS, but mounting login page in webview and styling login page, may be
>> barrier for the developers starting with keycloak.
>>
>> *Questions:*
>>
>> 1) Is possible to use keycloak without redirect to keycloak login page?
>>
>>
>
>> 2) Do you have any suggestions for areas were mobile experience can be
>> improved?
>>
>>
> I don't have a JavaScript answer for you (boo!), but I have been tumbling
> around in my head what it would take to make a broker that you can log in
> to.  A broker would basically act as a ghetto IdP and sock puppet account
> mgmt in KeyCloak.  That is a lot more work than just opening a web browser.
>
> See my post here for a better version of that idea :
> http://lists.jboss.org/pipermail/keycloak-user/2017-November/012404.html
>
> Alternatively many systems have native token management that you might be
> able to hook into as well.  It doesn't negate the need to go to the system
> browser, but if you are using the same account in multiple apps it could
> give you a way to share a session without having each app log in separately.
>
> However, the system browsers are starting to get smarter about their role
> in modern authentication so you might be able to leverage them as well.
> IIRC Chrome on Android treats the Google account special and I am sure you
> can find something similar with safari on iOS.
>
>
>
>> This topic was raised before on both dev and users lists before, but
>> without definitive answer[1]
>> I'm looking for any information that may be helpful.
>>
>> [1] http://lists.jboss.org/pipermail/keycloak-user/2016-Nove
>> mber/008295.html
>>
>> --
>>
>> WOJCIECH TROCKI
>>
>> Red Hat Mobile <https://www.redhat.com/>
>>
>> IM: wtrocki
>> <https://red.ht/sig>
>>
>
>