<div dir="ltr">One concern with including this is if there's some potential way it can be a vulnerability. <div><br></div><div>The only thing I can think of is that it allows figuring out the base url for a client. That could then be used to figure out valid redirect uris for a client. Don't think that's a huge deal though.</div><div><br></div><div>Another thing is that it is related to a feature we want to add at some point. We'd like to be able to have a SSO page that lists all clients, including icons and links to the clients. This would have two use-cases:</div><div>1. As a landing page on SSO server, and as a way for users to find all applications they can login to</div><div>2. A rest service would enable applications to get a list of all clients and provide a link to other applications in the realm (like Google does with the square boxes icon)</div><div><br></div><div>With that in mind it would be better if the URL for client redirect was "{realm}/clients/{client-id}/redirect" as that would allows us to use "{realm}/clients" in the future for the above feature. "{realm}/clients" is already used by ClientRegistrationService, but I think we can move that to "{realm}/clients/registration" as there's probably not that many people that are using the client registration service yet.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 9 February 2016 at 12:02, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>any ideas regarding this?<div><br></div><div>We need to link to a default application from several applications and it would be helpful if keycloak would provide said redirect mechanism, such that</div><div>each application would only need to know the clientId of the default client application and keycloak performs the proper redirect to the actual target application.</div><div><br></div><div>The example posted earlier works like a charm. This could even be extended to the point that in case no clientId is given keycloak can decide which client to redirect to.</div><div><br></div><div>Cheers,</div><div>Thomas</div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">2016-02-05 19:05 GMT+01:00 Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Quick update - I did some further experiments with this...</div><div><br></div><div>I added /redirect path to the a org.keycloak.services.resources.RealmsResource</div><div>like: @Path("{realm}/{client-id}/redirect")</div><div>see code fragment below.</div><div><br></div><div>This allows keycloak to initiate a redirect to the browser with the actual</div><div>target url of the client. Other clients now only need to now the realm and clientId</div><div>to generate a link that eventually redirects to the target application.</div><div><br></div><div>Usage:</div><div>GET <a href="http://localhost:8081/auth/realms/master/launchpad/redirect" target="_blank">http://localhost:8081/auth/realms/master/launchpad/redirect</a> -> 302 response with location: <a href="http://apps.corp.local/launchpad" target="_blank">http://apps.corp.local/launchpad</a></div><div><br></div><div>Any chance to get this in as a PR?</div><div><br></div><div>Cheers,</div><div>Thomas</div><div><br></div><div> @GET</div><div> @Path("{realm}/{client-id}/redirect")</div><div> public Response getRedirect(final @PathParam("realm") String realmName, final @PathParam("client-id") String clientId) throws Exception{</div><div><br></div><div> RealmModel realm = init(realmName);</div><div><br></div><div> if (realm == null){</div><div> return null;</div><div> }</div><div><br></div><div> ClientModel client = realm.getClientByClientId(clientId);</div><div><br></div><div> if (client == null){</div><div> return null;</div><div> }</div><div><br></div><div> if (client.getRootUrl() == null){</div><div> return Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build();</div><div> }</div><div><br></div><div> return Response.temporaryRedirect(URI.create(client.getRootUrl() + client.getBaseUrl())).build();</div><div> }</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-05 16:23 GMT+01:00 Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">Hello,</div><div class="gmail_extra"><br><div class="gmail_quote"><span>2016-02-05 15:22 GMT+01:00 Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I understand this as well, but it has not been uncommon to encounter a situation where the user needs to know where to go next, because Keycloak doesn't have a link available. </blockquote><div><br></div></span><div>with a redirect facility as outlined above - one could render a link to the "$KEYCLOAK_BASE_URL/redirect" or </div><div>lookup the "default" client in order to render the client base url link with a proper label (client name).</div><div><br></div><div>Cheers,</div><div>Thomas </div></div><br><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>