[keycloak-user] Widget For Embedding in Single Page App

Brandon Dale Koepke brandon at finitemoment.com
Wed Jul 19 21:28:15 EDT 2017 

Hello,

I was hoping to duplicate this functionality with Keycloak: https://auth0.com/docs/libraries/lock/v10/ui-customization#primarycolor-string-. (I want a single-page app ideally where the user can register without being forwarded to a separate page.)
Auth0 has a nice API for both logging in **and** registering users so everything can be done from a single page app on the client side. Login seems to be supported fully and easily from an API with Keycloak using frontend only code but registering users doesn’t seem to be so simple.
In order to do this with Keycloak, it seem that I have a few options.

(1) Embed the Keycloak login/register page in an iframe and theme the login/registration page. (I’m certain there are vulnerabilities I’m introducing by taking this route, CSRF?)(2) Create another separate backend API that has an admin token for registering users. Then you post a JSON describing to the user to a ‘/register’ endpoint. (Secure I think but wasteful of resources… Also introduces an additional failure point).(3) Capture the required fields and POST them using the same format as a client would when using the regular Keycloak registration page. (Seems like I have to do some interesting fetching in order to get an authorization token for the login here as well, at least according to the pcap I generated. Would really like to avoid doing this if possible.)(4) Create a limited admin user (or client?) that can only create users and nothing more. Pass login information for this user through the frontend and use that user on the frontend to make the admin API calls for registering users. (Difficult to make secure? Seems strange that I would be exposing an admin/client secret to the frontend but as long as it is possible to lock it down enough that the user can’t be used for anything else then I think the is roughly equivalent to how the key cloak page works anyway. Unless I’m missing something important? )(5) Variant of (2), create a new plugin for key cloak that has the required ‘/register’ api without authenticating users. (Seems like this would already exist if it was possible to do securely.)(6) Have keycloak resolve to a subdomain on my main server, that way even though it isn’t seamless users won’t be redirected to a different domain entirely. (If possible I would like to avoid this since auth0 seems to have solved it.)
Is there something better than any of these? If not, which options are still secure and which would you recommend?
At the end of the day I would like something similar to the login/registration page for Buffer: https://www.buxfer.com[1]. A modal window opens with a create account option, my ideal login/registration flow would be similar.
Any word on this would be greatly appreciated.

Links:

  1. https://www.buxfer.com/

More information about the keycloak-user mailing list