[keycloak-dev] Authenticating Desktop Applications with Keycloak and the keycloak-installed adapter

Thomas Darimont thomas.darimont at googlemail.com
Thu Jul 20 09:22:55 EDT 2017 

some more food for thought:

Google seems to recommend using the Loopback IP address to obtain the
authorization
code from a successful Oauth 2.0 interaction in the browser, see [0].

Create authorization credentials -> Option 2: Loopback IP address (macOS,
Linux, Windows desktop)

Other methods like "manual copy/paste" (of the auth code) or "Programmatic
extraction"
are supported but not recommended - the recommended approach is to use
either
Loopback IP address or a Custom URI scheme (on mobile apps or Windows UWP).
Though, one might still be able to programmatically register a custom
protocol handler
in windows and other platforms.

Google also provides some example applications that demonstate the various
approaches.

Further more, OAuth for Apps: Sample Desktop Application for Windows [1]
mentions: OAuth 2.0 for Native Apps (draft-ietf-oauth-native-apps-12) [2]
which descibes the
approaches mentioned above in more detail.

E.g. in 4.1 "Authorization Flow for Native Apps Using the Browser" they
IMHO
describe the interaction model of the keycloak-installed adapter.

[0] https://developers.google.com/identity/protocols/OAuth2InstalledApp
[1]
https://github.com/googlesamples/oauth-apps-for-windows/tree/master/OAuthDesktopApp
[2] https://tools.ietf.org/html/draft-ietf-oauth-native-apps-12


2017-07-20 15:04 GMT+02:00 Thomas Darimont <thomas.darimont at googlemail.com>:

> That's interesting.
>
> Will there also be support for desktop apps in some way?
>
> What in particular do you think is the problem with the approach used by
> the keycloak-installed adapter
> and OAuth device flow, guessing you mean: https://tools.ietf.org/html/
> draft-ietf-oauth-device-flow-06 ?
>
> Cheers,
> Thomas
>
>
>
> 2017-07-19 16:31 GMT+02:00 Bill Burke <bburke at redhat.com>:
>
>> I'm working on something for command line apps.  A command-line
>> text/plain protocol so that login can happen within a console.  I really
>> think keycloak-installation or the OAuth device flow is really poor
>> solution.
>>
>>
>> On 7/18/17 9:42 AM, Thomas Darimont wrote:
>> > Hello folks,
>> >
>> > I played a bit with the undocumented? [0] keycloak-installed adapter [1]
>> > for integrating
>> > desktop applications with Keycloak SSO and found some issues with it,
>> which
>> > I'd like to share.
>> > Small explanation for those who are reading the list but don't know the
>> > adapter... [2]
>> >
>> > First some general notes / suggestions:
>> > Is the keycloak-installed adapter something that will stay in keycloak
>> or
>> > was this just a PoC?
>> > In the former case I think there are some things that could be improved
>> or
>> > extended a bit:
>> >
>> > - Allow users to customize the locale used for the login pages opened by
>> > the adapter
>> > - Provide customizable response templates (perhaps by leveraging a
>> provided
>> > ResourceBundle)
>> > - Allow to customize pages shown after login / logout served by the
>> > keycloak-installed adapter
>> > - Add support for TLS (with custom certificates) for https:// with
>> localhost
>> >
>> > I noticed that some browsers (e.g. Chrome) show an error page when
>> trying
>> > to
>> > redirect to the local mini-webserver after a successful login since the
>> > mini-webserver
>> > (...server-socket) embedded in the adapter doesn't respond with a valid
>> > HTTP response.
>> > With that fixed, it worked with all browsers I tested (IE, Firefox,
>> Chrome).
>> >
>> > My current modifications of the keycloak-installed adapter
>> > (with HTTP response fixes and response customizations) are here:
>> > https://github.com/thomasdarimont/keycloak/commit/b8ee52a946
>> e73503b1737f5ca7d4520b8484dae8
>> >
>> > An extended example (using the the modified keycloak-installed adapter)
>> can
>> > be found here:
>> > https://gist.github.com/thomasdarimont/c59c14f45ea2ee00d7b6fbe2c013c5f1
>> >
>> > WDYT?
>> >
>> > Cheers,
>> > Thomas
>> >
>> > [0] Not mentioned here:
>> > https://keycloak.gitbooks.io/documentation/securing_apps/top
>> ics/oidc/java/java-adapters.html
>> >
>> > [1] https://github.com/keycloak/keycloak/tree/master/adapters/oi
>> dc/installed
>> >
>> > [2] For those that haven't seen the adapter yet, it allows to
>> authenticate
>> > against Keycloak
>> > from a desktop app (e.g. swing, javafx) by opening a desktop browser
>> window
>> > where a user
>> > uses the regular keycloak login pages to login.
>> > The trick is now that login page is opened with redirect URL that
>> points to
>> > a small local
>> > "web server" (server-socket) on a free ephemeral port which is started
>> by
>> > the adapter.
>> >
>> > After logging in the mini web-server receives performs the
>> authenorization
>> > code flow and eventually receives the tokens (access_token,
>> refresh_token,
>> > id_token) which can then be
>> > used to call backend services from the client or retrieve new tokens
>> >
>> > A nice side effect of this is, that the desktop application never sees a
>> > users
>> > password and one can leverage existing SSO sessions.
>> > Btw. the google cloud cli uses the same approach to authenticate with
>> gcp.
>> >
>> > The Keycloak repo contains a small example for this:
>> > https://github.com/keycloak/keycloak/blob/master/examples/de
>> mo-template/customer-app-cli/src/main/java/org/keycloak/
>> example/CustomerCli.java
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>

More information about the keycloak-dev mailing list