<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Is there a JIRA issue for that feature?
I would like to help with this regard since I really would like to
see support for that in an upcoming release.<br>
<div class="moz-signature"><br>
Mit freundlichen Grüßen,<br>
<hr>
<b>Christian Beikov</b><br>
</div>
Am 03.12.2014 um 12:31 schrieb Stian Thorgersen:<br>
</div>
<blockquote
cite="mid:65581544.9522973.1417606302820.JavaMail.zimbra@redhat.com"
type="cite">
<pre wrap="">Just thought of a reason why it won't work. The link to login with Facebook is to the Keycloak server, which then sets the required state before redirecting to Facebook.
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Stian Thorgersen" <a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>
To: "Christian Beikov" <a class="moz-txt-link-rfc2396E" href="mailto:christian.beikov@gmail.com"><christian.beikov@gmail.com></a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
Sent: Wednesday, 3 December, 2014 12:30:03 PM
Subject: Re: [keycloak-dev] Login with Access Token
The callback to Keycloak expects a code, not a token, so I don't think it
would work unless you modify Keycloak's Facebook provider. I can't think of
any other reasons why it wouldn't work.
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Christian Beikov" <a class="moz-txt-link-rfc2396E" href="mailto:christian.beikov@gmail.com"><christian.beikov@gmail.com></a>
To: "Stian Thorgersen" <a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
Sent: Wednesday, 3 December, 2014 11:04:05 AM
Subject: Re: [keycloak-dev] Login with Access Token
I was thinking of something like the following as a workaround
1. Create a hidden iframe in a webview that navigates to the login page of
the keycloak server.
2. Extract the state from the link of the Facebook login
3. Start the login with the native SDK
4. On success navigate in the iframe to the social callback
5. Use some keycloak token to act as the logged in user
Regarding 4. I am not sure what URL I should invoke exactly. I guess I have
to append the state parameter to it, but I couldn't find out exactly and I
haven't debugged that far yet.
Regarding 5. I don't know how to retrieve that keycloak token from the
iframe, but I hope there is a way.
For this to work I will probably have to add some CORS http headers that
will allow localhost so that the app can access the iframe. Although this
makes it vulnerable, since every localhost app could then "steal" the
keycloak token, it would do the job for now.
What do you think? Could that work?
2014-12-03 9:43 GMT+01:00 Stian Thorgersen <a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>:
</pre>
<blockquote type="cite">
<pre wrap="">Keycloak generates a special state parameter. It consists of two parts, a
signature and an id. The id is used to lookup a session in Keycloak,
while
the signature is then used to verify that specific request is valid (a
session can only be used for one thing at a time, for example a social
login). By design there's no way you can generate this yourself unless
you
have access to the Keycloak database.
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Christian Beikov" <a class="moz-txt-link-rfc2396E" href="mailto:christian.beikov@gmail.com"><christian.beikov@gmail.com></a>
To: "Stian Thorgersen" <a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>, <a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
Sent: Wednesday, 3 December, 2014 9:33:20 AM
Subject: Re: [keycloak-dev] Login with Access Token
I am wondering how you do that. I know that there is a state parameter
</pre>
</blockquote>
<pre wrap="">that
</pre>
<blockquote type="cite">
<pre wrap="">is added to the facebook login url, but I could just make an initial
request to keycloak to copy that, or did I understand something wrong?
2014-12-03 9:22 GMT+01:00 Stian Thorgersen <a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>:
</pre>
<blockquote type="cite">
<pre wrap="">It's code that is currently changing as we're working on adding
</pre>
</blockquote>
</blockquote>
<pre wrap="">enterprise
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">IdP's as well as social IdP's we have at the moment.
I think the correct approach would be to use the direct grant api,
</pre>
</blockquote>
</blockquote>
<pre wrap="">which
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">currently lets you exchange a username + password for a Keycloak
</pre>
</blockquote>
</blockquote>
<pre wrap="">token, we
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">could add an option here to pass in a token from an external IdP to
exchange for a internal Keycloak token. If you're interested in
</pre>
</blockquote>
</blockquote>
<pre wrap="">looking at
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">the code look at OpenIDConnectService.grantAccessToken.
There's no work-around that you can do due to security restrictions
in
Keycloak. Keycloak makes sure that the callback can only be called if
</pre>
</blockquote>
</blockquote>
<pre wrap="">it
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">indeed made the original request.
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Christian Beikov" <a class="moz-txt-link-rfc2396E" href="mailto:christian.beikov@gmail.com"><christian.beikov@gmail.com></a>
To: "Stian Thorgersen" <a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>
Sent: Wednesday, 3 December, 2014 9:11:55 AM
Subject: Re: [keycloak-dev] Login with Access Token
Thanks for the quick answer. Could you maybe give me a hint on how
I
</pre>
</blockquote>
<pre wrap="">could
</pre>
<blockquote type="cite">
<pre wrap="">implement that in a quick-and-dirty way? Could I maybe do some
iframe
</pre>
</blockquote>
<pre wrap="">magic
</pre>
<blockquote type="cite">
<pre wrap="">in a hidden webview to do the login? I am not quite sure how the
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">social
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">login works exactly. Facebook will redirect me back to the social
</pre>
</blockquote>
<pre wrap="">callback
</pre>
<blockquote type="cite">
<pre wrap="">address after a login, but how does keycloak actually retrieve that
</pre>
</blockquote>
<pre wrap="">access
</pre>
<blockquote type="cite">
<pre wrap="">token? If I knew that, I could maybe create a workaround for now
and
</pre>
</blockquote>
<pre wrap="">maybe
</pre>
<blockquote type="cite">
<pre wrap="">also contribute something? :)
2014-12-03 8:48 GMT+01:00 Stian Thorgersen <a class="moz-txt-link-rfc2396E" href="mailto:stian@redhat.com"><stian@redhat.com></a>:
</pre>
<blockquote type="cite">
<pre wrap="">
----- Original Message -----
</pre>
<blockquote type="cite">
<pre wrap="">From: "Christian Beikov" <a class="moz-txt-link-rfc2396E" href="mailto:christian.beikov@gmail.com"><christian.beikov@gmail.com></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
Sent: Tuesday, 2 December, 2014 6:58:42 PM
Subject: [keycloak-dev] Login with Access Token
Hello!
I am new to OAuth so sorry if my question is dumb.
I have an App which wants to provide a custom and Facebook
login.
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">Since
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">many
</pre>
<blockquote type="cite">
<pre wrap="">people already have the Facebook App installed, I thought it
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">might be
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">better
</pre>
<blockquote type="cite">
<pre wrap="">to give them the native experience and use the Facebook SDK to
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">implement
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">the
</pre>
<blockquote type="cite">
<pre wrap="">login.
The problem now is, that I have the Access Token from the
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">successful
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Facebook
</pre>
<blockquote type="cite">
<pre wrap="">login, but don't know how to properly login at the Keycloak
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">server
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">with
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">that.
Any ideas on how to do that? Or is that even stupid and is
there
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">a
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">better
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">way?
</pre>
</blockquote>
<pre wrap="">
Not at all a dumb question and we actually had someone else ask
the
</pre>
</blockquote>
</blockquote>
<pre wrap="">same
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">last week.
Currently, Keycloak does not support this flow, but it something
</pre>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">we may
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">consider adding.
</pre>
<blockquote type="cite">
<pre wrap="">--
Mit freundlichen Grüßen,
Christian Beikov
_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
--
Mit freundlichen Grüßen,
*Christian Beikov*Blazebit Design & Developing
<a class="moz-txt-link-freetext" href="http://www.blazebit.com">http://www.blazebit.com</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
--
Mit freundlichen Grüßen,
*Christian Beikov*Blazebit Design & Developing
<a class="moz-txt-link-freetext" href="http://www.blazebit.com">http://www.blazebit.com</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
--
Mit freundlichen Grüßen,
*Christian Beikov*Blazebit Design & Developing
<a class="moz-txt-link-freetext" href="http://www.blazebit.com">http://www.blazebit.com</a>
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a>
</pre>
</blockquote>
</blockquote>
<br>
</body>
</html>