[keycloak-user] Authentication from embedded webpage

Marek Posolda mposolda at redhat.com
Wed Apr 6 17:03:24 EDT 2016 

Do you have the "control" under the application? Is it possible to 
propagate security contexts from application to embedded IE or viceversa?

In theory what can work is either:
- You will skip step1 and don't popup username/password box. Instead you 
will just authenticate in step2 inside IE and then propagate the context 
( token ) to step1. This is possible just if application is able to 
access the javascript state from embedded IE.

- If you can propagate just from desktop to IE, then in step1 you wwill 
configure your application to send the request for username/password 
authentication to Keycloak via direct access grant (instead of sending 
username+password directly to AD/LDAP). Once you receive token from 
direct access grant, you can use it inside IE in step2 ( keycloak.js has 
possibility to be initialized with token. You just need to pass the 
token and refreshToken as arguments to keycloak.init . Then keycloak.js 
won't redirect you to login screen )

Marek

On 06/04/16 11:24, Subhrajyoti Moitra wrote:
> Hello Team,
>
> I have a standalone windows desktop application, that authenticates 
> against an AD/LDAP server. The application popups a username/password 
> box, and submits it to the LDAP for authentication.
> The same AD/LDAP server is also synced with a Keycloak installation.
>
> The windows application embeds the IE browser control and shows a jsp 
> page.
> This jsp page is protected using keycloak js adapter. Obviously the 
> user is re-directed to the keycloak login page. So the user has to 
> login twice, once using the application popup and other in the 
> embedded jsp, after getting redirected to the keycloak login page.
>
> I dont want to re-prompt the user for relogin, since he has already 
> authenticated against the AD server.
> Is there a way to not re-prompt the user, when the embedded IE 
> requests the secure JSP?
>
> Please help, as we are not able to come up with a solution for the same.
> Any pointers how we can avoid the 2nd authentication.
>
> Thanks,
> Subhro.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/a270005c/attachment.html

More information about the keycloak-user mailing list