[keycloak-user] OAuth2 extensions - oob vs oob:auto
David North
david-kc-users at dnorth.net
Thu Jan 31 07:56:07 EST 2019
Hi,
I am working on a desktop application which wants to access various APIs
secured by OAuth2 using Keycloak.
The workflow I am trying to support is that the application will show an
embedded browser widget with the Keycloak login page, and once the user
is logged in, my application will extract the OAuth token and use it.
I don't want my application to have to listen on a local port and use a
redirect URI of http://localhost:port, so the OAuth extension which
allows a redirect URI of urn:ietf:wg:oauth:2.0:oob:auto seems ideal.
The documentation at https://www.keycloak.org/docs/4.0/securing_apps/
says Keycloak only supports the urn:ietf:wg:oauth:2.0:oob variant, where
the user has to copy/paste the code manually into the app. However,
confusingly the documentation also claims:
"When this redirect uri is used Keycloak displays a page with the code
in the title and in a box on the page."
The code is not in the title (which just says "Success code") - if it
were then it would be easy for my application to extract, and the
behaviour would be equivalent to urn:ietf:wg:oauth:2.0:oob:auto
Would there be any objection to a bug and patch to:
* Treat urn:ietf:wg:oauth:2.0:oob:auto as an alias for
urn:ietf:wg:oauth:2.0:oob
* Put the code in the page title as well as a box on the page?
Thanks,
David
More information about the keycloak-user
mailing list