[keycloak-user] SSO experience

Dmitry Telegin dt at acutus.pro
Sun Nov 18 19:15:47 EST 2018 

Hi Ori, you're welcome,

On Thu, 2018-11-15 at 09:15 +0000, Ori Doolman wrote:
> Hi Dmitry,
> Thank you for answering.
> In fact, the desktop app is not yet integrated to Keycloak and it is work to be done. 
> I'm not familiar with the desktop app since it is a 3rd party app not written by us. If Java based, I thought of using one of the Keycloak Java adapters. If not, just get the token with an HTTP[S] call (which seems that this is also what kcinit and KeycloakInstalled are doing as well).
> I was not familiar with kcinit or KeycloakInstalled before. 
> KeycloakInstalled might be a solution, but with limitations:
> 1) The desktop app must be written in Java.
> 2) It must be acceptable by the app designers to launch a browser for login. 
> 3) If I understand correctly, it only performs a client level authentication, not supporting username/password credentials authentication.
> 
> That leads me to the original question - can I have SSO without using cookies, and by simply send the token to my web app as part of the starting URL (the desktop app will launch the web app in a browser)?

Is this correct that your desktop app uses direct grant to authenticate a user with login/password and to obtain tokens from Keycloak OIDC endpoint? This would imply that the features like e.g. password reset or conditional OTP, available via Keycloak interactive login only, would be unavailable.

If you're ok with this, I think what you're talking about should be possible. Token size (and hence URL length) shouldn't be the issue, since modern browsers are able to swallow really gigantic URLs (like "data:"). Obviously, it will be the responsibility of your webapp to parse the token out of URL.

And please don't forget that you'll have to pass refresh token too, since access tokens are short-lived and you'll need to refresh them.

Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> 
> Thanks,
> 
> Ori Doolman
> Lead Software Architect
> Amdocs Optima
> 
> +972 9 778 6914 (office)
> +972 50 9111442 (mobile)
> 
> 
> 
> -----Original Message-----
> > From: Dmitry Telegin <dt at acutus.pro> Sent: Wednesday, November 14, 2018 20:34
> > To: Ori Doolman <Ori.Doolman at Amdocs.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] SSO experience
> 
> Hello Ori,
> 
> How do you implement SSO for your desktop application? Are you using kcinit [1] or KeycloakInstalled [2]?
> 
> Both will do interactive login via the system browser, that means, SSO cookies should be shared with whatever web application that is run therein.
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> [1] https://github.com/keycloak/kcinit
> [2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_adapter
> 
> On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote:
> > Hi,
> > I have 2 applications: one is desktop (Windows) and the other one is a web application.
> > My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token.
> > My web application is using the Keycloak JS adapter to perform the same.
> > 
> > After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again?
> > 
> > 
> > 
> > Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ?
> > I see the following code is checking if initOptions contains the token:
> > 
> > 
> >             function processInit() {
> >                 var callback = parseCallback(window.location.href);
> > 
> >                 if (callback) {
> >                     window.history.replaceState({}, null, callback.newUrl);
> >                 }
> > 
> >                 if (callback && callback.valid) {
> >                     return setupCheckLoginIframe().success(function() {
> >                         processCallback(callback, initPromise);
> >                     }).error(function (e) {
> >                         initPromise.setError();
> >                     });
> >                 } else if (initOptions) {
> >                     if (initOptions.token && initOptions.refreshToken) {
> >                         setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken);
> > 
> > 
> > 
> > 
> > 
> > 
> > Thanks,
> > 
> > Ori Doolman
> > Lead Software Architect
> > Amdocs Optima
> > 
> > 
> > > [cid:image001.png at 01D2C8DE.BFF33E10]
> > 
> > “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

More information about the keycloak-user mailing list