<div dir="ltr">It's to late to add this for 1.9, so we need to wait with merging it after we've branched 1.9.x.<div><br></div><div>I also need to figure out what to do with the client-registration service as your PR adds this to "{realm}/clients" which is also the endpoint for the client registration service.<br><div class="gmail_extra"><br><div class="gmail_quote">On 9 February 2016 at 17:18, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Thanks for your input :)</div><div><br></div><div>The redirect would only work after a successful authentication,</div><div>so unauthenticated users couldn't "probe" the realm for clients / target urls.</div><div><br></div><div>But I see your point that an authenticated "malicious" user could probe all </div><div>clients if he knew all clientIds (potentially via the new API).</div><div>Perhaps one could offer a way to define some kind of grouping concept to describe </div><div>which clients that can see each other (client group?) - so only clients from within the</div><div>same group would be eligible for such a redirect.</div><div><br></div><div>Btw. I adapted your suggestion regarding the endpoint path (which is now: {realm}/clients/{client_id}/redirect)</div><div>and created a JIRA issue [0] and PR [1] with my current impl as a base for further discussion.</div><span><div><br></div><div>> Another thing is that it is related to a feature we want to add at some point. </div><div>> We'd like to be able to have a SSO > page that lists all clients, including icons and links to the clients.</div><div>> This would have two use-cases: </div><div>> 1. As a landing page on SSO server, and as a way for users to find all applications they can login to</div><div><br></div></span><div>This would be really helpful - is this supposed to replace the applications section in the account page?</div></div></blockquote><div><br></div><div>The plan was to have a separate page. It would be simpler than the one in account management as it would simply list the applications, not show access.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span><div><br></div><div>> 2. A rest service would enable applications to get a list of all clients and provide a link </div><div>> to other applications in the realm (like Google does with the square boxes icon)</div><div><br></div></span><div>This would also be very helpful, currently I pull the information with the keycloak admin client</div><div>in order to render such a page. A dedicated endpoint that returns clients metadata in JSON format </div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>would be neat. Are you planning to just build a dedicated page of all apps or also a html/js widget like the 9 square app selector?</div></div></blockquote><div><br></div><div>We where only planning on doing the REST endpoints and the applications landing page</div><div><br></div><div>Not sure a html/js widget would be that useful. It would be fairly simple to create your own using the REST endpoints and chances are we wouldn't be able to create one that accommodates everyone needs so most folks would end up having to do their own.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>[0] <a href="https://issues.jboss.org/browse/KEYCLOAK-2469" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2469</a></div><div>[1] <a href="https://github.com/keycloak/keycloak/pull/2202" target="_blank">https://github.com/keycloak/keycloak/pull/2202</a></div><div><br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-09 12:18 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">One concern with including this is if there's some potential way it can be a vulnerability. <div><br></div><div>The only thing I can think of is that it allows figuring out the base url for a client. That could then be used to figure out valid redirect uris for a client. Don't think that's a huge deal though.</div><div><br></div><div>Another thing is that it is related to a feature we want to add at some point. We'd like to be able to have a SSO page that lists all clients, including icons and links to the clients. This would have two use-cases:</div><div>1. As a landing page on SSO server, and as a way for users to find all applications they can login to</div><div>2. A rest service would enable applications to get a list of all clients and provide a link to other applications in the realm (like Google does with the square boxes icon)</div><div><br></div><div>With that in mind it would be better if the URL for client redirect was "{realm}/clients/{client-id}/redirect" as that would allows us to use "{realm}/clients" in the future for the above feature. "{realm}/clients" is already used by ClientRegistrationService, but I think we can move that to "{realm}/clients/registration" as there's probably not that many people that are using the client registration service yet.</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 9 February 2016 at 12:02, Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>any ideas regarding this?<div><br></div><div>We need to link to a default application from several applications and it would be helpful if keycloak would provide said redirect mechanism, such that</div><div>each application would only need to know the clientId of the default client application and keycloak performs the proper redirect to the actual target application.</div><div><br></div><div>The example posted earlier works like a charm. This could even be extended to the point that in case no clientId is given keycloak can decide which client to redirect to.</div><div><br></div><div>Cheers,</div><div>Thomas</div></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-05 19:05 GMT+01:00 Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Quick update - I did some further experiments with this...</div><div><br></div><div>I added /redirect path to the a org.keycloak.services.resources.RealmsResource</div><div>like: @Path("{realm}/{client-id}/redirect")</div><div>see code fragment below.</div><div><br></div><div>This allows keycloak to initiate a redirect to the browser with the actual</div><div>target url of the client. Other clients now only need to now the realm and clientId</div><div>to generate a link that eventually redirects to the target application.</div><div><br></div><div>Usage:</div><div>GET <a href="http://localhost:8081/auth/realms/master/launchpad/redirect" target="_blank">http://localhost:8081/auth/realms/master/launchpad/redirect</a> -> 302 response with location: <a href="http://apps.corp.local/launchpad" target="_blank">http://apps.corp.local/launchpad</a></div><div><br></div><div>Any chance to get this in as a PR?</div><div><br></div><div>Cheers,</div><div>Thomas</div><div><br></div><div> @GET</div><div> @Path("{realm}/{client-id}/redirect")</div><div> public Response getRedirect(final @PathParam("realm") String realmName, final @PathParam("client-id") String clientId) throws Exception{</div><div><br></div><div> RealmModel realm = init(realmName);</div><div><br></div><div> if (realm == null){</div><div> return null;</div><div> }</div><div><br></div><div> ClientModel client = realm.getClientByClientId(clientId);</div><div><br></div><div> if (client == null){</div><div> return null;</div><div> }</div><div><br></div><div> if (client.getRootUrl() == null){</div><div> return Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build();</div><div> }</div><div><br></div><div> return Response.temporaryRedirect(URI.create(client.getRootUrl() + client.getBaseUrl())).build();</div><div> }</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2016-02-05 16:23 GMT+01:00 Thomas Darimont <span dir="ltr"><<a href="mailto:thomas.darimont@googlemail.com" target="_blank">thomas.darimont@googlemail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">Hello,</div><div class="gmail_extra"><br><div class="gmail_quote"><span>2016-02-05 15:22 GMT+01:00 Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I understand this as well, but it has not been uncommon to encounter a situation where the user needs to know where to go next, because Keycloak doesn't have a link available. </blockquote><div><br></div></span><div>with a redirect facility as outlined above - one could render a link to the "$KEYCLOAK_BASE_URL/redirect" or </div><div>lookup the "default" client in order to render the client base url link with a proper label (client name).</div><div><br></div><div>Cheers,</div><div>Thomas </div></div><br><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div>