Re: [keycloak-dev] Automatically login user to application when logged into realm

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Wednesday, 23 October, 2013 10:01:41 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm I guess I see what you mean. You want to be able to show a login/register links on the *application's* page and not just redirect immediately to the keycloak screens when you first visit the page. I guess I'm thinking too old school Java EE app that would automatically bring you to the login screen if you access secured content. I feel like a dinosaur sometimes. Too bad I still have 20 year until I retire. Apologies for wasting your time. Gonna have to figure out how to support this scenario for a traditional web app too. On 10/23/2013 3:58 PM, Stian Thorgersen wrote: > Yes I read your response and yes I have played with your demo. > > Let's then revisit this with the demo in mind, and you can tell me where > I'm mistaken. > > I visit http://localhost:8080/customer-portal/. The urls '/admins/*' > require the admin role and '/customers/*' requires the user role. If I > click on a link taking me to any of these pages the adapter redirects me > to the auth-server. In this case it works, as if I try to visit a private > url I should be presented with a login form if I'm not already logged in. > So there's no problem that the adapter automatically redirects me to the > auth-server. > > Now, imagine that this is an real application. Where the front-page would, > if the user is not logged in, show "Login" and "Register" links, and would > not show links to pages that an anonymous user is not allowed to access > (for example 'Customer Listing'). If a user is logged in the application > would not show 'Login' and 'Register' but instead show 'Hello User, > welcome back' and would include links to pages that particular user is > allowed to access (for example if the current user had the role user, but > not admin, only the 'Customer Listing', not the 'Customer Admin Interface' > link, would be displayed). > > How would I be able to implement that behaviour with the current way > Keycloak works? > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Wednesday, 23 October, 2013 8:18:32 PM >> Subject: Re: [keycloak-dev] Automatically login user to application when >> logged into realm >> >> Did you even read my response? I completely mapped out the entire flow >> of how it works *now* in our demo and how it could work with a pure >> HTML5 app. Go play with the demo to understand things better maybe? >> >> You talkd about this before: >> > A company has an internal Keycloak server, they have a single realm >> with multiple internal applications. All applications are hosted on >> different servers. Let's imagine this company is called Red Hat. The >> user, let's call him Stian, first goes to the OrangeHRM to book some >> long overdue holiday. He's not currently logged in to the realm so is is >> shown an anonymous access screen instead with a login link. Stian >> presses login, fills in username and password and successfully logs in >> to the realm. Now Stian wants to go to docspace, again Stian has to >> press the Login link, but doesn't have to provide a username or >> password, but instead is simply redirected back to the application as a >> logged in user. Stian is actually a bit confused about this as he just >> logged in to an application without providing a username or password. >> >> >> >> What you describe is not how our demo works nor will it ever work that >> way. You log in once to the auth server, any app you visit knows who >> you are. There's no need to click a "login" button when you visit a new >> site. HTML5 app would work exactly the same way as any of the WARs in >> the Keycloak demo code except all the redirect and cookie processing >> would happen within Javascript within the browser. There's just no need >> for your extra "no-forms" invocation! The login check is already built >> into the protocol. >> >> http://www.tizag.com/javascriptT/javascriptredirect.php >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com