<div dir="ltr">Correct me if I am wrong, but the last time I looked at the Facebook button that appears on the login page, it was just a simple link to facebook with some parameters like the state.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2014-12-03 12:31 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Just thought of a reason why it won't work. The link to login with Facebook is to the Keycloak server, which then sets the required state before redirecting to Facebook.<br>
<span class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> To: "Christian Beikov" <<a href="mailto:christian.beikov@gmail.com">christian.beikov@gmail.com</a>><br>
> Cc: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
</span><div class="HOEnZb"><div class="h5">> Sent: Wednesday, 3 December, 2014 12:30:03 PM<br>
> Subject: Re: [keycloak-dev] Login with Access Token<br>
><br>
> The callback to Keycloak expects a code, not a token, so I don't think it<br>
> would work unless you modify Keycloak's Facebook provider. I can't think of<br>
> any other reasons why it wouldn't work.<br>
><br>
> ----- Original Message -----<br>
> > From: "Christian Beikov" <<a href="mailto:christian.beikov@gmail.com">christian.beikov@gmail.com</a>><br>
> > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > Cc: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> > Sent: Wednesday, 3 December, 2014 11:04:05 AM<br>
> > Subject: Re: [keycloak-dev] Login with Access Token<br>
> ><br>
> > I was thinking of something like the following as a workaround<br>
> ><br>
> > 1. Create a hidden iframe in a webview that navigates to the login page of<br>
> > the keycloak server.<br>
> > 2. Extract the state from the link of the Facebook login<br>
> > 3. Start the login with the native SDK<br>
> > 4. On success navigate in the iframe to the social callback<br>
> > 5. Use some keycloak token to act as the logged in user<br>
> ><br>
> > Regarding 4. I am not sure what URL I should invoke exactly. I guess I have<br>
> > to append the state parameter to it, but I couldn't find out exactly and I<br>
> > haven't debugged that far yet.<br>
> > Regarding 5. I don't know how to retrieve that keycloak token from the<br>
> > iframe, but I hope there is a way.<br>
> ><br>
> > For this to work I will probably have to add some CORS http headers that<br>
> > will allow localhost so that the app can access the iframe. Although this<br>
> > makes it vulnerable, since every localhost app could then "steal" the<br>
> > keycloak token, it would do the job for now.<br>
> ><br>
> > What do you think? Could that work?<br>
> ><br>
> > 2014-12-03 9:43 GMT+01:00 Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>>:<br>
> ><br>
> > > Keycloak generates a special state parameter. It consists of two parts, a<br>
> > > signature and an id. The id is used to lookup a session in Keycloak,<br>
> > > while<br>
> > > the signature is then used to verify that specific request is valid (a<br>
> > > session can only be used for one thing at a time, for example a social<br>
> > > login). By design there's no way you can generate this yourself unless<br>
> > > you<br>
> > > have access to the Keycloak database.<br>
> > ><br>
> > > ----- Original Message -----<br>
> > > > From: "Christian Beikov" <<a href="mailto:christian.beikov@gmail.com">christian.beikov@gmail.com</a>><br>
> > > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>>, <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> > > > Sent: Wednesday, 3 December, 2014 9:33:20 AM<br>
> > > > Subject: Re: [keycloak-dev] Login with Access Token<br>
> > > ><br>
> > > > I am wondering how you do that. I know that there is a state parameter<br>
> > > that<br>
> > > > is added to the facebook login url, but I could just make an initial<br>
> > > > request to keycloak to copy that, or did I understand something wrong?<br>
> > > ><br>
> > > > 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>>:<br>
> > > ><br>
> > > > > It's code that is currently changing as we're working on adding<br>
> > > enterprise<br>
> > > > > IdP's as well as social IdP's we have at the moment.<br>
> > > > ><br>
> > > > > I think the correct approach would be to use the direct grant api,<br>
> > > which<br>
> > > > > currently lets you exchange a username + password for a Keycloak<br>
> > > token, we<br>
> > > > > could add an option here to pass in a token from an external IdP to<br>
> > > > > exchange for a internal Keycloak token. If you're interested in<br>
> > > looking at<br>
> > > > > the code look at OpenIDConnectService.grantAccessToken.<br>
> > > > ><br>
> > > > > There's no work-around that you can do due to security restrictions<br>
> > > > > in<br>
> > > > > Keycloak. Keycloak makes sure that the callback can only be called if<br>
> > > it<br>
> > > > > indeed made the original request.<br>
> > > > ><br>
> > > > > ----- Original Message -----<br>
> > > > > > From: "Christian Beikov" <<a href="mailto:christian.beikov@gmail.com">christian.beikov@gmail.com</a>><br>
> > > > > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > > Sent: Wednesday, 3 December, 2014 9:11:55 AM<br>
> > > > > > Subject: Re: [keycloak-dev] Login with Access Token<br>
> > > > > ><br>
> > > > > > Thanks for the quick answer. Could you maybe give me a hint on how<br>
> > > > > > I<br>
> > > > > could<br>
> > > > > > implement that in a quick-and-dirty way? Could I maybe do some<br>
> > > > > > iframe<br>
> > > > > magic<br>
> > > > > > in a hidden webview to do the login? I am not quite sure how the<br>
> > > social<br>
> > > > > > login works exactly. Facebook will redirect me back to the social<br>
> > > > > callback<br>
> > > > > > address after a login, but how does keycloak actually retrieve that<br>
> > > > > access<br>
> > > > > > token? If I knew that, I could maybe create a workaround for now<br>
> > > > > > and<br>
> > > > > maybe<br>
> > > > > > also contribute something? :)<br>
> > > > > ><br>
> > > > > > 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>>:<br>
> > > > > ><br>
> > > > > > ><br>
> > > > > > ><br>
> > > > > > > ----- Original Message -----<br>
> > > > > > > > From: "Christian Beikov" <<a href="mailto:christian.beikov@gmail.com">christian.beikov@gmail.com</a>><br>
> > > > > > > > To: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> > > > > > > > Sent: Tuesday, 2 December, 2014 6:58:42 PM<br>
> > > > > > > > Subject: [keycloak-dev] Login with Access Token<br>
> > > > > > > ><br>
> > > > > > > > Hello!<br>
> > > > > > > ><br>
> > > > > > > > I am new to OAuth so sorry if my question is dumb.<br>
> > > > > > > > I have an App which wants to provide a custom and Facebook<br>
> > > > > > > > login.<br>
> > > > > Since<br>
> > > > > > > many<br>
> > > > > > > > people already have the Facebook App installed, I thought it<br>
> > > might be<br>
> > > > > > > better<br>
> > > > > > > > to give them the native experience and use the Facebook SDK to<br>
> > > > > implement<br>
> > > > > > > the<br>
> > > > > > > > login.<br>
> > > > > > > > The problem now is, that I have the Access Token from the<br>
> > > successful<br>
> > > > > > > Facebook<br>
> > > > > > > > login, but don't know how to properly login at the Keycloak<br>
> > > server<br>
> > > > > with<br>
> > > > > > > > that.<br>
> > > > > > > ><br>
> > > > > > > > Any ideas on how to do that? Or is that even stupid and is<br>
> > > > > > > > there<br>
> > > a<br>
> > > > > better<br>
> > > > > > > > way?<br>
> > > > > > ><br>
> > > > > > > Not at all a dumb question and we actually had someone else ask<br>
> > > > > > > the<br>
> > > > > same<br>
> > > > > > > last week.<br>
> > > > > > ><br>
> > > > > > > Currently, Keycloak does not support this flow, but it something<br>
> > > we may<br>
> > > > > > > consider adding.<br>
> > > > > > ><br>
> > > > > > > > --<br>
> > > > > > > ><br>
> > > > > > > > Mit freundlichen Grüßen,<br>
> > > > > > > ><br>
> > > > > > > > Christian Beikov<br>
> > > > > > > ><br>
> > > > > > > > _______________________________________________<br>
> > > > > > > > keycloak-dev mailing list<br>
> > > > > > > > <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> > > > > > > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
> > > > > > ><br>
> > > > > ><br>
> > > > > ><br>
> > > > > ><br>
> > > > > > --<br>
> > > > > ><br>
> > > > > > Mit freundlichen Grüßen,<br>
> > > > > ><br>
> > > > > ><br>
> > > > > > *Christian Beikov*Blazebit Design & Developing<br>
> > > > > > <a href="http://www.blazebit.com" target="_blank">http://www.blazebit.com</a><br>
> > > > > ><br>
> > > > ><br>
> > > ><br>
> > > ><br>
> > > ><br>
> > > > --<br>
> > > ><br>
> > > > Mit freundlichen Grüßen,<br>
> > > ><br>
> > > ><br>
> > > > *Christian Beikov*Blazebit Design & Developing<br>
> > > > <a href="http://www.blazebit.com" target="_blank">http://www.blazebit.com</a><br>
> > > ><br>
> > ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> ><br>
> > Mit freundlichen Grüßen,<br>
> ><br>
> ><br>
> > *Christian Beikov*Blazebit Design & Developing<br>
> > <a href="http://www.blazebit.com" target="_blank">http://www.blazebit.com</a><br>
> ><br>
><br>
> _______________________________________________<br>
> keycloak-dev mailing list<br>
> <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><br>Mit freundlichen Grüßen,<br><br><b>Christian Beikov<br></b>Blazebit Design & Developing<br><a href="http://www.blazebit.com" target="_blank">http://www.blazebit.com</a></div></div>
</div>