[keycloak-dev] Authenticating Desktop Applications with Keycloak and the keycloak-installed adapter

Thomas Darimont thomas.darimont at googlemail.com
Tue Jul 18 09:42:25 EDT 2017

Hello folks,

I played a bit with the undocumented? [0] keycloak-installed adapter [1]
for integrating
desktop applications with Keycloak SSO and found some issues with it, which
I'd like to share.
Small explanation for those who are reading the list but don't know the
adapter... [2]

First some general notes / suggestions:
Is the keycloak-installed adapter something that will stay in keycloak or
was this just a PoC?
In the former case I think there are some things that could be improved or
extended a bit:

- Allow users to customize the locale used for the login pages opened by
the adapter
- Provide customizable response templates (perhaps by leveraging a provided
- Allow to customize pages shown after login / logout served by the
keycloak-installed adapter
- Add support for TLS (with custom certificates) for https:// with localhost

I noticed that some browsers (e.g. Chrome) show an error page when trying
redirect to the local mini-webserver after a successful login since the
(...server-socket) embedded in the adapter doesn't respond with a valid
HTTP response.
With that fixed, it worked with all browsers I tested (IE, Firefox, Chrome).

My current modifications of the keycloak-installed adapter
(with HTTP response fixes and response customizations) are here:

An extended example (using the the modified keycloak-installed adapter) can
be found here:



[0] Not mentioned here:

[1] https://github.com/keycloak/keycloak/tree/master/adapters/oidc/installed

[2] For those that haven't seen the adapter yet, it allows to authenticate
against Keycloak
from a desktop app (e.g. swing, javafx) by opening a desktop browser window
where a user
uses the regular keycloak login pages to login.
The trick is now that login page is opened with redirect URL that points to
a small local
"web server" (server-socket) on a free ephemeral port which is started by
the adapter.

After logging in the mini web-server receives performs the authenorization
code flow and eventually receives the tokens (access_token, refresh_token,
id_token) which can then be
used to call backend services from the client or retrieve new tokens

A nice side effect of this is, that the desktop application never sees a
password and one can leverage existing SSO sessions.
Btw. the google cloud cli uses the same approach to authenticate with gcp.

The Keycloak repo contains a small example for this:

More information about the keycloak-dev mailing list