[keycloak-user] Default client for a realm

Tue Feb 9 06:18:51 EST 2016

One concern with including this is if there's some potential way it can be
a vulnerability.

The only thing I can think of is that it allows figuring out the base url
for a client. That could then be used to figure out valid redirect uris for
a client. Don't think that's a huge deal though.

Another thing is that it is related to a feature we want to add at some
point. We'd like to be able to have a SSO page that lists all clients,
including icons and links to the clients. This would have two use-cases:
1. As a landing page on SSO server, and as a way for users to find all
applications they can login to
2. A rest service would enable applications to get a list of all clients
and provide a link to other applications in the realm (like Google does
with the square boxes icon)

With that in mind it would be better if the URL for client redirect was
"{realm}/clients/{client-id}/redirect" as that would allows us to use
"{realm}/clients" in the future for the above feature. "{realm}/clients" is
already used by ClientRegistrationService, but I think we can move that to
"{realm}/clients/registration" as there's probably not that many people
that are using the client registration service yet.

On 9 February 2016 at 12:02, Thomas Darimont <thomas.darimont at googlemail.com
> wrote:

> Hello,
>
> any ideas regarding this?
>
> We need to link to a default application from several applications and it
> would be helpful if keycloak would provide said redirect mechanism, such
> that
> each application would only need to know the clientId of the default
> client application and keycloak performs the proper redirect to the actual
> target application.
>
> The example posted earlier works like a charm. This could even be extended
> to the point that in case no clientId is given keycloak can decide which
> client to redirect to.
>
> Cheers,
> Thomas
>
> 2016-02-05 19:05 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.com
> >:
>
>> Quick update - I did some further experiments with this...
>>
>> I added /redirect path to the a
>> org.keycloak.services.resources.RealmsResource
>> like: @Path("{realm}/{client-id}/redirect")
>> see code fragment below.
>>
>> This allows keycloak to initiate a redirect to the browser with the actual
>> target url of the client. Other clients now only need to now the realm
>> and clientId
>> to generate a link that eventually redirects to the target application.
>>
>> Usage:
>> GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302
>> response with location: http://apps.corp.local/launchpad
>>
>> Any chance to get this in as a PR?
>>
>> Cheers,
>> Thomas
>>
>>     @GET
>>     @Path("{realm}/{client-id}/redirect")
>>     public Response getRedirect(final @PathParam("realm") String
>> realmName, final @PathParam("client-id") String clientId) throws Exception{
>>
>>         RealmModel realm = init(realmName);
>>
>>         if (realm == null){
>>             return null;
>>         }
>>
>>         ClientModel client = realm.getClientByClientId(clientId);
>>
>>         if (client == null){
>>             return null;
>>         }
>>
>>         if (client.getRootUrl() == null){
>>             return
>> Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build();
>>         }
>>
>>         return Response.temporaryRedirect(URI.create(client.getRootUrl()
>> + client.getBaseUrl())).build();
>>     }
>>
>> 2016-02-05 16:23 GMT+01:00 Thomas Darimont <
>> thomas.darimont at googlemail.com>:
>>
>>> Hello,
>>>
>>> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme <
>>> thomas.raehalme at aitiofinland.com>:
>>>
>>>> I understand this as well, but it has not been uncommon to encounter a
>>>> situation where the user needs to know where to go next, because Keycloak
>>>> doesn't have a link available.
>>>
>>>
>>> with a redirect facility as outlined above - one could render a link to
>>> the "$KEYCLOAK_BASE_URL/redirect" or
>>> lookup the "default" client in order to render the client base url link
>>> with a proper label (client name).
>>>
>>> Cheers,
>>> Thomas
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/97192e40/attachment.html 