Re: [keycloak-dev] Automatically login user to application when logged into realm

No worries, it's one of those things that happens with trying to explain something over email/IRC. I think it should be an optional feature support by all adapters. For the AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' ({..., 'auto-login' : true }?). If it's enabled and the first request is to an unsecured resource it would redirect to 'auth/login?prompt=none'. I'm happy to add a proposal to the AS7 adapter if you'd like.

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Wednesday, 23 October, 2013 10:01:41 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > I guess I see what you mean. You want to be able to show a > login/register links on the *application's* page and not just redirect > immediately to the keycloak screens when you first visit the page. I > guess I'm thinking too old school Java EE app that would automatically > bring you to the login screen if you access secured content. I feel > like a dinosaur sometimes. Too bad I still have 20 year until I retire. > > Apologies for wasting your time. > > Gonna have to figure out how to support this scenario for a traditional > web app too. > > On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >> Yes I read your response and yes I have played with your demo. >> >> Let's then revisit this with the demo in mind, and you can tell me where >> I'm mistaken. >> >> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >> require the admin role and '/customers/*' requires the user role. If I >> click on a link taking me to any of these pages the adapter redirects me >> to the auth-server. In this case it works, as if I try to visit a private >> url I should be presented with a login form if I'm not already logged in. >> So there's no problem that the adapter automatically redirects me to the >> auth-server. >> >> Now, imagine that this is an real application. Where the front-page would, >> if the user is not logged in, show "Login" and "Register" links, and would >> not show links to pages that an anonymous user is not allowed to access >> (for example 'Customer Listing'). If a user is logged in the application >> would not show 'Login' and 'Register' but instead show 'Hello User, >> welcome back' and would include links to pages that particular user is >> allowed to access (for example if the current user had the role user, but >> not admin, only the 'Customer Listing', not the 'Customer Admin Interface' >> link, would be displayed). >> >> How would I be able to implement that behaviour with the current way >> Keycloak works? >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>> Subject: Re: [keycloak-dev] Automatically login user to application when >>> logged into realm >>> >>> Did you even read my response? I completely mapped out the entire flow >>> of how it works *now* in our demo and how it could work with a pure >>> HTML5 app. Go play with the demo to understand things better maybe? >>> >>> You talkd about this before: >>> > A company has an internal Keycloak server, they have a single realm >>> with multiple internal applications. All applications are hosted on >>> different servers. Let's imagine this company is called Red Hat. The >>> user, let's call him Stian, first goes to the OrangeHRM to book some >>> long overdue holiday. He's not currently logged in to the realm so is is >>> shown an anonymous access screen instead with a login link. Stian >>> presses login, fills in username and password and successfully logs in >>> to the realm. Now Stian wants to go to docspace, again Stian has to >>> press the Login link, but doesn't have to provide a username or >>> password, but instead is simply redirected back to the application as a >>> logged in user. Stian is actually a bit confused about this as he just >>> logged in to an application without providing a username or password. >>> >>> >>> >>> What you describe is not how our demo works nor will it ever work that >>> way. You log in once to the auth server, any app you visit knows who >>> you are. There's no need to click a "login" button when you visit a new >>> site. HTML5 app would work exactly the same way as any of the WARs in >>> the Keycloak demo code except all the redirect and cookie processing >>> would happen within Javascript within the browser. There's just no need >>> for your extra "no-forms" invocation! The login check is already built >>> into the protocol. >>> >>> http://www.tizag.com/javascriptT/javascriptredirect.php >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >