OpenID Connect uses OAuth2 as its foundation. It is not like the old
OpenID specification.
On 10/25/2013 08:39 AM, Bill Burke wrote:
FWIW, Amazon does not have SSO. It has shared credentials, but not
SSO.
Tried it out on
audible.com and amazon. Lovefilm doesn't even
recognize my amazon account.
Also GMAIL redirects automatically to an unprotected login page. My
bank, brokerage, redirects automatically to an unprotected login or
front page where I can log in. So, I know you think its absurd, but
pretty much any site where security is even remotely important, an
automatic redirect happens to an unprotected page. A better example
would have been a news article or forum where you can read articles and
comments but can't post comments until you log in.
So in summary:
* I'm not against no-forms call. I even said so, 2-3 emails ago.
* After reviewing the jboss web adapter, a "login-check" could be done
by the adapter. You just won't be able to have a page that can be both
protected or unprotected.
* I'm wary of the keycloak.js approach as it requires public application
credentials which opens up keycloak for additional attacks. Read the
OAuth spec for more details. I'm not sure how realistic some of the
attacks are, but they do exist.
I"ll have to review, but I'm not sure OpenID fits with the goals of
Keycloak. OAuth is about granting access while OpenID is about
establishing the identity of the user.
On 10/25/2013 4:52 AM, Stian Thorgersen wrote:
> OpenID connect has this option. This is a spec we should look at and seriously
consider adding support for.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian(a)redhat.com>
>> To: "Bill Burke" <bburke(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 24 October, 2013 4:16:44 PM
>> Subject: Re: [keycloak-dev] Automatically login user to application when logged
into realm
>>
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Thursday, 24 October, 2013 2:52:59 PM
>>> Subject: Re: [keycloak-dev] Automatically login user to application when
>>> logged into realm
>>>
>>> Yeah, I saw amazon example. I think your amazon example is different
>>> because they don't have to worry about single sign on.
>> Amazon has SSO with LoveFilm! Are you really still claiming that the use-case
>> I have where an application wants to do single-sign-on and have pages that
>> adapt to whether or not a user is logged in (instead of simply showing a
>> login form) is not something people are going to want to do? That's
>> certainly how I would like my web apps to work if I was writing them.
>>
>>> The current keycloak application adapter build on top of servlet
>>> security and only requires a valve and the keycloak configuration file
>>> and it just works. The style you are talking about would have to bypass
>>> servlet security entirely and require custom application code to work.
>>> This is why I don't think it should be promoted as a preferred solution.
>> No it doesn't. The front-page for an application could have the following
JSP
>> code:
>>
>> <%
>> if(request.getUserPrincipal() != null) {
>> %>
>> <h2>Hello <%=request.getUserPrincipal%></h2>
>> <% } else { <%
>> <h2>Click here to <a
href="...">login</a></h2>
>> %>
>>
>> <ul class="menu">
>> <li><a href="public/index.html">Some public
page</a></li>
>> <%
>> if(request.getUserPrincipal() != null) {
>> <li><a href="private/index.html">Some restricted
page</a></li>
>> }
>> %>
>>
>> When opening the front-page the prompt=none would be used to login a user if
>> the user is already logged in to the realm. If the user visits
>> 'private/index.html' first, then it should result in the login form if
the
>> user is not already logged in, so in this case prompt=none wouldn't be used.
>>
>>> The preferred solution should be a server-side driven authentication
>>> with private client credentials for both javascript and old-school apps.
>>> For Servlet environments, the constraints of servlet security should
>>> be used to keep setup simple.
>>>
>>>
>>> On 10/24/2013 9:00 AM, Stian Thorgersen wrote:
>>>> Yes it goes through
accounts.google.com. Google often have different
>>>> regional behaviour though.
>>>>
>>>> Did you see the amazon example I wrote before? Did the same mistake of
>>>> replying twice again :/
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>> Sent: Thursday, 24 October, 2013 1:56:29 PM
>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
when
>>>>> logged into realm
>>>>>
>>>>> Weird. Firefox 24 and IE 10 on Windows for me works the way I
>>>>> described. What do the logged HTTP requests look like? Does it go
>>>>> through accounts.google.com?
>>>>>
>>>>> On 10/24/2013 8:37 AM, Stian Thorgersen wrote:
>>>>>> By the way that's not how
gmail.com works for me. I just
tried to open
>>>>>>
gmail.com in an incognito window and was redirected to
>>>>>>
https://mail.google.com/intl/en-GB/mail/help/about.html, not a
login
>>>>>> form.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>>>> Sent: Thursday, 24 October, 2013 1:13:40 PM
>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to
application
>>>>>>> when
>>>>>>> logged into realm
>>>>>>>
>>>>>>> Not to drag this on, but take a look at how google does it.
>>>>>>>
>>>>>>> If you are not logged in, and you go to
gmail.com, you are
redirected
>>>>>>> immediately to
accounts.google.com and you must log in there.
After
>>>>>>> you
>>>>>>> login you are redirected back to
gmail.com.
>>>>>>>
>>>>>>> If you leave
gmail.com and visit another website, then come
back to
>>>>>>>
gmail.com, it does an immediate redirect to
accounts.google.com which
>>>>>>> then immediately redirects you back to gmail.
>>>>>>>
>>>>>>> So, I feel better. I'm not so old school... :). Google
works pretty
>>>>>>> much the same way the keycloak demo works. There is one
difference
>>>>>>> though that I i'm not sure if we should follow: I'm
guessing that to
>>>>>>> implement single sign off, Google will always redirect to
>>>>>>>
accounts.google.com to check to see if you're logged in
when you visit
>>>>>>> a
>>>>>>> google page.
>>>>>>>
>>>>>>>
>>>>>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
>>>>>>>> No worries, it's one of those things that happens
with trying to
>>>>>>>> explain
>>>>>>>> something over email/IRC.
>>>>>>>>
>>>>>>>> I think it should be an optional feature support by all
adapters. For
>>>>>>>> the
>>>>>>>> AS7 adapter I was thinking you'd specify it in
'resteasy-oauth.json'
>>>>>>>> ({..., 'auto-login' : true }?). If it's
enabled and the first request
>>>>>>>> is
>>>>>>>> to an unsecured resource it would redirect to
>>>>>>>> 'auth/login?prompt=none'.
>>>>>>>> I'm happy to add a proposal to the AS7 adapter if
you'd like.
>>>>>>>>
>>>>>>> I don't think this approach can work very well in
old-school web apps,
>>>>>>> if at all. For pure Servlet apps you're either accessing
a secure
>>>>>>> area
>>>>>>> or you're not. A URL can't be both secure and
unsecure at the same
>>>>>>> time. Plus, if you have any kind of latency, a full browser
redirect
>>>>>>> just to check if you're logged in with the auth-server is
going to be
>>>>>>> pretty ugly.
>>>>>>>
>>>>>>> The application adapter *DOES* still need an amILoggedIn REST
call.
>>>>>>> By
>>>>>>> default it should just return:
>>>>>>>
>>>>>>> {
>>>>>>> "loggedIn" : true,
>>>>>>> "user" : "wburke"
>>>>>>> }
>>>>>>>
>>>>>>> If you set a flag in resteasy-oauth.json, it will also
contain the
>>>>>>> access token
>>>>>>>
>>>>>>> {
>>>>>>> loggedIn : true,
>>>>>>> "user" : "wburke",
>>>>>>> "token" : "asdfasdfasdfqwerqwer"
>>>>>>> }
>>>>>>>
>>>>>>> amILoggedIn would be authenticated by a http-only cookie.
>>>>>>>
>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Bill Burke"
<bburke(a)redhat.com>
>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM
>>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user
to application
>>>>>>>>> when
>>>>>>>>> logged into realm
>>>>>>>>>
>>>>>>>>> I guess I see what you mean. You want to be able to
show a
>>>>>>>>> login/register links on the *application's* page
and not just
>>>>>>>>> redirect
>>>>>>>>> immediately to the keycloak screens when you first
visit the page.
>>>>>>>>> I
>>>>>>>>> guess I'm thinking too old school Java EE app
that would
>>>>>>>>> automatically
>>>>>>>>> bring you to the login screen if you access secured
content. I feel
>>>>>>>>> like a dinosaur sometimes. Too bad I still have 20
year until I
>>>>>>>>> retire.
>>>>>>>>>
>>>>>>>>> Apologies for wasting your time.
>>>>>>>>>
>>>>>>>>> Gonna have to figure out how to support this scenario
for a
>>>>>>>>> traditional
>>>>>>>>> web app too.
>>>>>>>>>
>>>>>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
>>>>>>>>>> Yes I read your response and yes I have played
with your demo.
>>>>>>>>>>
>>>>>>>>>> Let's then revisit this with the demo in
mind, and you can tell me
>>>>>>>>>> where
>>>>>>>>>> I'm mistaken.
>>>>>>>>>>
>>>>>>>>>> I visit
http://localhost:8080/customer-portal/.
The urls
>>>>>>>>>> '/admins/*'
>>>>>>>>>> require the admin role and '/customers/*'
requires the user role.
>>>>>>>>>> If
>>>>>>>>>> I
>>>>>>>>>> click on a link taking me to any of these pages
the adapter
>>>>>>>>>> redirects
>>>>>>>>>> me
>>>>>>>>>> to the auth-server. In this case it works, as if
I try to visit a
>>>>>>>>>> private
>>>>>>>>>> url I should be presented with a login form if
I'm not already
>>>>>>>>>> logged
>>>>>>>>>> in.
>>>>>>>>>> So there's no problem that the adapter
automatically redirects me
>>>>>>>>>> to
>>>>>>>>>> the
>>>>>>>>>> auth-server.
>>>>>>>>>>
>>>>>>>>>> Now, imagine that this is an real application.
Where the front-page
>>>>>>>>>> would,
>>>>>>>>>> if the user is not logged in, show
"Login" and "Register" links,
>>>>>>>>>> and
>>>>>>>>>> would
>>>>>>>>>> not show links to pages that an anonymous user is
not allowed to
>>>>>>>>>> access
>>>>>>>>>> (for example 'Customer Listing'). If a
user is logged in the
>>>>>>>>>> application
>>>>>>>>>> would not show 'Login' and
'Register' but instead show 'Hello User,
>>>>>>>>>> welcome back' and would include links to
pages that particular user
>>>>>>>>>> is
>>>>>>>>>> allowed to access (for example if the current
user had the role
>>>>>>>>>> user,
>>>>>>>>>> but
>>>>>>>>>> not admin, only the 'Customer Listing',
not the 'Customer Admin
>>>>>>>>>> Interface'
>>>>>>>>>> link, would be displayed).
>>>>>>>>>>
>>>>>>>>>> How would I be able to implement that behaviour
with the current
>>>>>>>>>> way
>>>>>>>>>> Keycloak works?
>>>>>>>>>>
>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>> From: "Bill Burke"
<bburke(a)redhat.com>
>>>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
>>>>>>>>>>> Subject: Re: [keycloak-dev] Automatically
login user to
>>>>>>>>>>> application
>>>>>>>>>>> when
>>>>>>>>>>> logged into realm
>>>>>>>>>>>
>>>>>>>>>>> Did you even read my response? I completely
mapped out the entire
>>>>>>>>>>> flow
>>>>>>>>>>> of how it works *now* in our demo and how it
could work with a
>>>>>>>>>>> pure
>>>>>>>>>>> HTML5 app. Go play with the demo to
understand things better
>>>>>>>>>>> maybe?
>>>>>>>>>>>
>>>>>>>>>>> You talkd about this before:
>>>>>>>>>>> > A company has an internal
Keycloak server, they have a
>>>>>>>>>>> > single
>>>>>>>>>>> > realm
>>>>>>>>>>> with multiple internal applications. All
applications are hosted
>>>>>>>>>>> on
>>>>>>>>>>> different servers. Let's imagine this
company is called Red Hat.
>>>>>>>>>>> The
>>>>>>>>>>> user, let's call him Stian, first goes to
the OrangeHRM to book
>>>>>>>>>>> some
>>>>>>>>>>> long overdue holiday. He's not currently
logged in to the realm so
>>>>>>>>>>> is
>>>>>>>>>>> is
>>>>>>>>>>> shown an anonymous access screen instead with
a login link. Stian
>>>>>>>>>>> presses login, fills in username and password
and successfully
>>>>>>>>>>> logs
>>>>>>>>>>> in
>>>>>>>>>>> to the realm. Now Stian wants to go to
docspace, again Stian has
>>>>>>>>>>> to
>>>>>>>>>>> press the Login link, but doesn't have to
provide a username or
>>>>>>>>>>> password, but instead is simply redirected
back to the application
>>>>>>>>>>> as
>>>>>>>>>>> a
>>>>>>>>>>> logged in user. Stian is actually a bit
confused about this as he
>>>>>>>>>>> just
>>>>>>>>>>> logged in to an application without providing
a username or
>>>>>>>>>>> password.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> What you describe is not how our demo works
nor will it ever work
>>>>>>>>>>> that
>>>>>>>>>>> way. You log in once to the auth server, any
app you visit knows
>>>>>>>>>>> who
>>>>>>>>>>> you are. There's no need to click a
"login" button when you visit
>>>>>>>>>>> a
>>>>>>>>>>> new
>>>>>>>>>>> site. HTML5 app would work exactly the same
way as any of the
>>>>>>>>>>> WARs
>>>>>>>>>>> in
>>>>>>>>>>> the Keycloak demo code except all the
redirect and cookie
>>>>>>>>>>> processing
>>>>>>>>>>> would happen within Javascript within the
browser. There's just no
>>>>>>>>>>> need
>>>>>>>>>>> for your extra "no-forms"
invocation! The login check is already
>>>>>>>>>>> built
>>>>>>>>>>> into the protocol.
>>>>>>>>>>>
>>>>>>>>>>>
http://www.tizag.com/javascriptT/javascriptredirect.php
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Bill Burke
>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>
http://bill.burkecentral.com
>>>>>>>>>>>
>>>>>>>>>>>