[keycloak-user] SSO experience

Thu Nov 15 04:15:07 EST 2018

Hi Dmitry,
Thank you for answering.
In fact, the desktop app is not yet integrated to Keycloak and it is work to be done. 
I'm not familiar with the desktop app since it is a 3rd party app not written by us. If Java based, I thought of using one of the Keycloak Java adapters. If not, just get the token with an HTTP[S] call (which seems that this is also what kcinit and KeycloakInstalled are doing as well).
I was not familiar with kcinit or KeycloakInstalled before. 
KeycloakInstalled might be a solution, but with limitations:
1) The desktop app must be written in Java.
2) It must be acceptable by the app designers to launch a browser for login. 
3) If I understand correctly, it only performs a client level authentication, not supporting username/password credentials authentication.

That leads me to the original question - can I have SSO without using cookies, and by simply send the token to my web app as part of the starting URL (the desktop app will launch the web app in a browser)?

Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima

+972 9 778 6914 (office)
+972 50 9111442 (mobile)

-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro> 
Sent: Wednesday, November 14, 2018 20:34
To: Ori Doolman <Ori.Doolman at Amdocs.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] SSO experience

Hello Ori,

How do you implement SSO for your desktop application? Are you using kcinit [1] or KeycloakInstalled [2]?

Both will do interactive login via the system browser, that means, SSO cookies should be shared with whatever web application that is run therein.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

[1] https://github.com/keycloak/kcinit
[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_adapter

On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote:
> Hi,
> I have 2 applications: one is desktop (Windows) and the other one is a web application.
> My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token.
> My web application is using the Keycloak JS adapter to perform the same.
> 
> After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again?
> 
> 
> 
> Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ?
> I see the following code is checking if initOptions contains the token:
> 
> 
>             function processInit() {
>                 var callback = parseCallback(window.location.href);
> 
>                 if (callback) {
>                     window.history.replaceState({}, null, callback.newUrl);
>                 }
> 
>                 if (callback && callback.valid) {
>                     return setupCheckLoginIframe().success(function() {
>                         processCallback(callback, initPromise);
>                     }).error(function (e) {
>                         initPromise.setError();
>                     });
>                 } else if (initOptions) {
>                     if (initOptions.token && initOptions.refreshToken) {
>                         setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken);
> 
> 
> 
> 
> 
> 
> Thanks,
> 
> Ori Doolman
> Lead Software Architect
> Amdocs Optima
> 
> 
> > [cid:image001.png at 01D2C8DE.BFF33E10]
> 
> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.