[keycloak-user] Fwd: Keycloak login/logout on Android

Emanuel Couto emanuel.amaral.couto at gmail.com
Fri Apr 22 12:10:40 EDT 2016


Didn't send to all.

---------- Forwarded message ---------
From: Emanuel Couto <emanuel.amaral.couto at gmail.com>
Date: Fri, Apr 22, 2016 at 3:12 PM
Subject: Re: [keycloak-user] Keycloak login/logout on Android
To: Summers Pittman <supittma at redhat.com>


Hello.

I managed to get logout working with another client:
https://github.com/openid/AppAuth-Android

---

It is easy to get the demo working with Keycloak. In the Keycloak admin page
:
1. Create a Realm (e.g., "test")
2. Create a Client with redirect URI (e.g., "com.mypackage:/oauth2Callback")

In the demo application, update the "idp_configs.xml" file:
1. Update the value of "google_client_id" (e.g, "test-third-party)
2. Update redirect scheme (e.g., "com.mypackage")
3. Update the "google_auth_redirect_uri" (e.g.,
"com.mypackage:/oauth2Callback")

Finally update the "idp_configs_optional.xml":
1. Update "google_discovery_url" (e.g.,
http://localhost:8080/auth/realms/test/.well-known/openid-configuration)

---

The tricky part is adding logout, since it's not part of Open ID Connect
yet.
What I did was use the same mechanism appauth-android uses for
authentication. Instead of using a webview this client uses custom tabs or
a new browser session. The code is not designed to support other "browser
requests" other than authentication so a lot of copy/pasting was required.
Anyway it should give an idea how to make it work.

On Wed, Apr 20, 2016 at 11:17 PM Emanuel Couto <
emanuel.amaral.couto at gmail.com> wrote:

> Ok, this is what I have to far. I confirmed that deleteAccount isn't
> enough. By deleting the account and attempting to connect again, the login
> webview shows up but disappears right afterwards. I suspect the Android
> application knows that you are still logged in because the webview stores
> cookies somehow.
>
> If I call GET <logout_url> with an HTTP client, nothing happens. The
> keycloak administration page shows that I'm still logged in. I believe
> logout would only work if everything was being executed in the same HTTP
> client instance.
>
> I'm trying another client that seems to give more control over current
> status. Hopefully logout will work.
>
> Thanks.
>
> On Wed, Apr 20, 2016 at 1:51 PM Summers Pittman <supittma at redhat.com>
> wrote:
>
>> On Wed, Apr 20, 2016 at 5:20 AM, Emanuel Couto <
>> emanuel.amaral.couto at gmail.com> wrote:
>>
>>> Does that mean I should send the bearer token if I want to logout a
>>> specific user? If that's it how do I do it?
>>>
>>
>> OAuth2 (which is what the AG Authz lib implements) doesn't specify a
>> logoff procedure so it isn't supported directly in the library.
>>
>> Your best out of the box option is to delete the account using the deleteAccount
>> method on your module.  This will remove the local access to the account
>> and eventually your tokens will expire on the server.
>>
>> As a note : delete account does NOT guarantee to delete session cookies
>> for the third party sign in.  IE if you use Chrome to sign into your google
>> account to sign into keycloak, delete your account, and then log in again
>> you will not be prompted for your google credentials because that sign in
>> is part of Chrome's session and not the app's.
>>
>>
>>>
>>> The customer and products demos are here:
>>>
>>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/customer-app
>>>
>>> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/product-app
>>>
>>> In the documentation page there is a 3 part tutorial (The Basics)
>>> explaining how to install these apps:
>>> http://keycloak.jboss.org/docs
>>>
>>> Everything is web based.
>>>
>>> Thanks.
>>>
>>> On Tue, Apr 19, 2016 at 6:31 PM Summers Pittman <supittma at redhat.com>
>>> wrote:
>>>
>>>> On Tue, Apr 19, 2016 at 1:01 PM, Emanuel Couto <
>>>> emanuel.amaral.couto at gmail.com> wrote:
>>>>
>>>>> Hello.
>>>>>
>>>>> I'm trying to login and logout to KeyCloak through an Android
>>>>> application. So far I was able to login using AeroGear Authz. What happens
>>>>> is that a web view is created every time login is required. However I don't
>>>>> understand how logout works. In the documentation it states that you should
>>>>> point to 'auth/realms/.../logout'. How does it figure out which client am
>>>>> I? Through a session or maybe cookies?
>>>>>
>>>>
>>>> It has been a while since I looked at the code, but IIRC AeroGear authz
>>>> stores the bearer token that has been exchanged with the webview.
>>>>
>>>>
>>>>
>>>>> The other question is how would customer-portal and product-portal be
>>>>> implemented in android, theoretically?
>>>>>
>>>> I'm not familiar with those, could you link me?
>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160422/83b5471f/attachment-0001.html 


More information about the keycloak-user mailing list