<div dir="ltr"><div>Thanks for your input :)</div><div><br></div><div>The redirect would only work after a successful authentication,</div><div>so unauthenticated users couldn't "probe" the realm for clients / target urls.</div><div><br></div><div>But I see your point that an authenticated "malicious" user could probe all </div><div>clients if he knew all clientIds (potentially via the new API).</div><div>Perhaps one could offer a way to define some kind of grouping concept to describe </div><div>which clients that can see each other (client group?) - so only clients from within the</div><div>same group would be eligible for such a redirect.</div><div><br></div><div>Btw. I adapted your suggestion regarding the endpoint path (which is now: {realm}/clients/{client_id}/redirect)</div><div>and created a JIRA issue [0] and PR [1] with my current impl as a base for further discussion.</div><div><br></div><div>> Another thing is that it is related to a feature we want to add at some point. </div><div>> We'd like to be able to have a SSO > page that lists all clients, including icons and links to the clients.</div><div>> This would have two use-cases: </div><div>> 1. As a landing page on SSO server, and as a way for users to find all applications they can login to</div><div><br></div><div>This would be really helpful - is this supposed to replace the applications section in the account page?</div><div><br></div><div>> 2. A rest service would enable applications to get a list of all clients and provide a link </div><div>> to other applications in the realm (like Google does with the square boxes icon)</div><div><br></div><div>This would also be very helpful, currently I pull the information with the keycloak admin client</div><div>in order to render such a page. A dedicated endpoint that returns clients metadata in JSON format</div><div>would be neat. Are you planning to just build a dedicated page of all apps or also a html/js widget like the 9 square app selector?</div><div><br></div><div>[0] <a href="https://issues.jboss.org/browse/KEYCLOAK-2469">https://issues.jboss.org/browse/KEYCLOAK-2469</a></div><div>[1] <a href="https://github.com/keycloak/keycloak/pull/2202">https://github.com/keycloak/keycloak/pull/2202</a></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-09 12:18 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">One concern with including this is if there's some potential way it can be a vulnerability. <div><br></div><div>The only thing I can think of is that it allows figuring out the base url for a client. That could then be used to figure out valid redirect uris for a client. Don't think that's a huge deal though.</div><div><br></div><div>Another thing is that it is related to a feature we want to add at some point. We'd like to be able to have a SSO page that lists all clients, including icons and links to the clients. This would have two use-cases:</div><div>1. As a landing page on SSO server, and as a way for users to find all applications they can login to</div><div>2. A rest service would enable applications to get a list of all clients and provide a link to other applications in the realm (like Google does with the square boxes icon)</div><div><br></div><div>With that in mind it would be better if the URL for client redirect was "{realm}/clients/{client-id}/redirect" as that would allows us to use "{realm}/clients" in the future for the above feature. "{realm}/clients" is already used by ClientRegistrationService, but I think we can move that to "{realm}/clients/registration" as there's probably not that many people that are using the client registration service yet.</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 9 February 2016 at 12:02, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>any ideas regarding this?<div><br></div><div>We need to link to a default application from several applications and it would be helpful if keycloak would provide said redirect mechanism, such that</div><div>each application would only need to know the clientId of the default client application and keycloak performs the proper redirect to the actual target application.</div><div><br></div><div>The example posted earlier works like a charm. This could even be extended to the point that in case no clientId is given keycloak can decide which client to redirect to.</div><div><br></div><div>Cheers,</div><div>Thomas</div></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-05 19:05 GMT+01:00 Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Quick update - I did some further experiments with this...</div><div><br></div><div>I added /redirect path to the a org.keycloak.services.resources.RealmsResource</div><div>like: @Path("{realm}/{client-id}/redirect")</div><div>see code fragment below.</div><div><br></div><div>This allows keycloak to initiate a redirect to the browser with the actual</div><div>target url of the client. Other clients now only need to now the realm and clientId</div><div>to generate a link that eventually redirects to the target application.</div><div><br></div><div>Usage:</div><div>GET <a href="http://localhost:8081/auth/realms/master/launchpad/redirect" target="_blank">http://localhost:8081/auth/realms/master/launchpad/redirect</a> -> 302 response with location: <a href="http://apps.corp.local/launchpad" target="_blank">http://apps.corp.local/launchpad</a></div><div><br></div><div>Any chance to get this in as a PR?</div><div><br></div><div>Cheers,</div><div>Thomas</div><div><br></div><div> @GET</div><div> @Path("{realm}/{client-id}/redirect")</div><div> public Response getRedirect(final @PathParam("realm") String realmName, final @PathParam("client-id") String clientId) throws Exception{</div><div><br></div><div> RealmModel realm = init(realmName);</div><div><br></div><div> if (realm == null){</div><div> return null;</div><div> }</div><div><br></div><div> ClientModel client = realm.getClientByClientId(clientId);</div><div><br></div><div> if (client == null){</div><div> return null;</div><div> }</div><div><br></div><div> if (client.getRootUrl() == null){</div><div> return Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build();</div><div> }</div><div><br></div><div> return Response.temporaryRedirect(URI.create(client.getRootUrl() + client.getBaseUrl())).build();</div><div> }</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-05 16:23 GMT+01:00 Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">Hello,</div><div class="gmail_extra"><br><div class="gmail_quote"><span>2016-02-05 15:22 GMT+01:00 Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I understand this as well, but it has not been uncommon to encounter a situation where the user needs to know where to go next, because Keycloak doesn't have a link available. </blockquote><div><br></div></span><div>with a redirect facility as outlined above - one could render a link to the "$KEYCLOAK_BASE_URL/redirect" or </div><div>lookup the "default" client in order to render the client base url link with a proper label (client name).</div><div><br></div><div>Cheers,</div><div>Thomas </div></div><br><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>