[Android] KeyCloak Authenticator
by Summers Pittman
<tldr>DEVELOPERS WILL NEVER HAVE TO WRITE ANOTHER LINE OF AUTH LOGIC
AGAIN!</tldr>
Over the weekend I tried my hand at writing a Android Account
Authenticator for KeyCloak. This lets Android manage the KeyCloak
account, fetch tokens, provide tokens to other apps etc. KeyCloak
Authenticator let's you drop your keycloak.json file into an apk and
access your KeyCloak Account with one line of code from any application
on your Android device.
Right now this is very much in the "I have an itch needing scratching"
phase. It doesn't do any robust error handling, hasn't been testing off
the golden scenario, has no integration with any of the AeroGear stuff,
etc. Take a moment to watch the Demo and look at the demo project.
Video Demo :
https://plus.google.com/103442292643366117394/posts/WSFbdodMsej
The Demo video uses Android's native account menu to request from the
authenticator a KeyCloak account. This launches the authenticator's
activity which will retrieve the credentials for Android and store
them. When I am back in the settings page and showing off the stored
account, this is all native Android UI and not part of the KeyCloak
authenticator.
When I launch the Demo application this is a separate application from
the authenticator apk. The Demo project fetches the KeyCloak account
from Android and gets its auth token. Then it makes a request to
KeyCloak's account service to fetch the user's account data.
In the demo app there are three lines of code related to auth.
final Account account = am.getAccountsByType("org.keycloak.Account")[0];
String token = am.getAuthToken(account, "org.keycloak.Account.token",
null, null, null, null).getResult().getString(AccountManager.KEY_AUTHTOKEN);
and
provider.setDefaultHeader("Authorization", "bearer " + token);
The first two lines fetch the account and token from Android. The
second line attaches the account's auth token to the web request to the
server.
So now what? I'll probably use this for my projects/demos because it
makes my work easier. Right now it doesn't have any connection to any
of the "official" projects (Again, I wrote this over the weekend to see
if I could) however it may be quite useful to someone. In the project's
README I've included a (incomplete) list of things that don't work.
wdyt?
Links :
Project : https://github.com/secondsun/keycloak-android-authenticator
Video Demo :
https://plus.google.com/103442292643366117394/posts/WSFbdodMsej
Demo Source :
https://github.com/secondsun/keycloak-account-authenticator-demo/
--
Summers Pittman
>>Phone:404 941 4698
>>Java is my crack.
11 years, 4 months
Releasing new parent/bom (0.2.10)
by Daniel Passos
Hi All,
I’d like to run a new release of our parent/bom.
Here is some changes related to newer versions:
Android land
- Update Android version to the Lollipop
- Update Google Play Service to 6.1.71 (Now using aar instead of jar)
- Remove Roboeletric
- Remove Guava
- Remove Android support library
Test land
- Bump to Arquillian nondeploying container 0.2.0
- Bump to Arquillian Graphene 2.1.0.Alpha1
Feel free to test it. I have plan to release it next thursday.
The staging repo is here:
https://repository.jboss.org/nexus/content/repositories/jboss_releases_st...
— Passos
11 years, 4 months
UPS server configuration interface?
by Bruno Oliveira
Good morning amazing people.
While working on AGPUSH-1047, I was wondering if would make sense on
having a configuration page before users getting started.
I thinking about the current problem on decoupling our server from
Keycloak[1] and OpenShift.
What is the current proposal for the initial setup?
1. Developer create an UPS instance on OpenShift
2. Visit https://myups-abstractj.rhcloud.com/ag-push
3. The application automagically redirect to the configuration page with
options to skip or enter the URL for the Keycloak server.
4. App changes the keycloak.json/ups-realm.json file based on the URL provided.
Does it make sense?
[1] - https://github.com/abstractj/aerogear-unifiedpush-server/commit/db7639566...
--
abstractj
PGP: 0x84DC9914
11 years, 4 months
Re: [aerogear-dev] [keycloak-user] Mobile Authentication API
by Stian Thorgersen
Hi,
It's something we've discussed in the past. It would work, but it's not very elegant as a lot of the logic would be pushed onto the native app. Our core aim with Keycloak is to make security easy for folks.
That being said are you using the direct grant api to exchange a username/password for a token? We could probably allow using the direct grant api and pass a token instead of a username/password.
Added AeroGear mailing list as they're working on mobile adapters for Keycloak.
----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Wednesday, 26 November, 2014 7:32:38 PM
> Subject: Re: [keycloak-user] Mobile Authentication API
>
> Sorry, I wasn't clear enough. The problem we're having is with social logins
>
> When we have to login a user via social links (Google or Facebook) we need to
> send him to a webview, because Keycloak communicates with the social
> networks via the default flows we already have implemented.
>
> But from a mobile standpoint this could be improved, because the user can
> alerady have a Google account and/or a Facebook account on his mobile
> device. So that could be used instead of making the user login again on a
> webview.
>
> The idea is to send the social information we already have on the mobile
> device to Keycloak and get a token in return (we can do this with
> username/password today).
>
> The ideal thing would be a SDK for this that would (for example) be
> instantiated with URI and client_id, and would provide a method for login. I
> know this might not be in your roadmap for any time soon, but I'd like to
> know if you have thought about any of this.
>
> This provides a very different user experience for the user, and I think this
> feature would be appreciated by many.
>
> Thank you all again!
>
> Rodrigo Sasaki
>
> On Wed, Nov 26, 2014 at 4:13 PM, Rodrigo Sasaki < rodrigopsasaki(a)gmail.com >
> wrote:
>
>
>
> Hello,
>
> I was wondering if there is a plan (or maybe something already built) for
> native mobile authentication with Keycloak.
>
> Right now we need to redirect the user to a web view so he can interface with
> Keycloak to login, and from there on he can use the app normally, but is
> there something native for this? We're trying to find ways to use the
> smartphone's native authentication systems to login the users, and so far we
> haven't been able to make it work.
>
> Have you thought of something along those lines?
>
> Thank you.
>
> --
> Rodrigo Sasaki
>
>
>
> --
> Rodrigo Sasaki
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
11 years, 4 months
gwtcon
by Erik Jan de Wit
Hi,
I was at gwtcon last week and I talked with Daniel Kurka ( he is part of the gwt team) about inbox. This is a new gmail app that is launched on iOS web and android. So google even though they have a lot of people to develop applications went for a cross platform approach based on Java. They considered cordova, but because they wanted an UI that was very speedy and also on older android devices they choice native. Java is used across all platforms using gwt to translate Java to javascript and j2objc to transform Java to objective-c. He reckons that about 70 - 80 % of the code is shared.
So that gave me an idea, instead of using Java as the common language why not use javascript. And build a native UI that calls the javascript parts. This is of course a bit like appcelerator but without a layer in between. That way you could also still target windows phone.
Why not try out this idea and see if it’s feasible? WDYT?
Cheers,
Erik Jan
11 years, 4 months
