[keycloak-user] Keycloak Login in Main SPA Page

Philip Lysenko philip.lysenko at conceptpeople.de
Thu Aug 2 06:34:20 EDT 2018 

Hello. We are evaluating Keycloak/OIDC as an authentication solution. Apart from SSO and Multi-Factor-Authentication, one use-case we have is a carousel of login-forms in our SPA:

| User A   |   <=>  | User B   |    <=>  | User C  |
| Passwd |   <=>  | Passwd |     <=>  | Passwd |

We want our users to quickly switch their sessions at a terminal (running our SPA-client). The main challenge here is to integrate the login form in the parent instance instead of redirecting to a new website. Our findings are that this is possible with the “Password"-flow. But since the recommended flow for SPAs is the “Implicit” one (for obvious security reasons), we would prefer that over Password, if the described carousel is possible with it.

For the Implicit flow there is the possibility to do a silent refresh. It utilizes an invisible iframe for the redirect which provides a new token. Is it possible to do the same trick for the initial log-in? I don’t see how the refresh is different from the login. The way I get is is that for the refresh you inject the old token in the iframe and it delivers the parent app a new one. For the initial login, why would it not work to provide the iframe with credentials instead and trigger the redirect the same way as the refresh?

Is there any other workaround to implement Implicit? If we have to go with the password flow, what are the implications for our security, considering we utilise HTTPS and XSS-/CSRF-measures? The main problem would be old or infected browsers, no? This website here says to use Password flow only for "highly trusted clients”: https://auth0.com/docs/api-auth/which-oauth-flow-to-use <https://auth0.com/docs/api-auth/which-oauth-flow-to-use> And we will be the only ones writing client code, so is Password A-OK for us?

Thank you and Regards, Phil

- - - - - - - - - - - - -
ConceptPeople consulting gmbh

Philip Lysenko
Lead-Developer

ConceptPeople consulting gmbh
Yokohamastraße 2
20457 Hamburg

Tel: 040 - 605 33 83 53
Fax: 040 - 605 33 83 99
www.conceptpeople.de

Geschäftsführer:
Bjarne Jansen, Andreas Rother
Steuer-Nr: 46/712/02908
UID-NR: DE219814648
Registergericht:
Hamburg, HRB 82938

More information about the keycloak-user mailing list