Re: [keycloak-dev] Automatically login user to application when logged into realm

Yes it goes through accounts.google.com. Google often have different regional behaviour though. Did you see the amazon example I wrote before? Did the same mistake of replying twice again :/ ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 24 October, 2013 1:56:29 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > Weird. Firefox 24 and IE 10 on Windows for me works the way I > described. What do the logged HTTP requests look like? Does it go > through accounts.google.com? > > On 10/24/2013 8:37 AM, Stian Thorgersen wrote: >> By the way that's not how gmail.com works for me. I just tried to open >> gmail.com in an incognito window and was redirected to >> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form. >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Thursday, 24 October, 2013 1:13:40 PM >>> Subject: Re: [keycloak-dev] Automatically login user to application when >>> logged into realm >>> >>> Not to drag this on, but take a look at how google does it. >>> >>> If you are not logged in, and you go to gmail.com, you are redirected >>> immediately to accounts.google.com and you must log in there. After you >>> login you are redirected back to gmail.com. >>> >>> If you leave gmail.com and visit another website, then come back to >>> gmail.com, it does an immediate redirect to accounts.google.com which >>> then immediately redirects you back to gmail. >>> >>> So, I feel better. I'm not so old school... :). Google works pretty >>> much the same way the keycloak demo works. There is one difference >>> though that I i'm not sure if we should follow: I'm guessing that to >>> implement single sign off, Google will always redirect to >>> accounts.google.com to check to see if you're logged in when you visit a >>> google page. >>> >>> >>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote: >>>> No worries, it's one of those things that happens with trying to explain >>>> something over email/IRC. >>>> >>>> I think it should be an optional feature support by all adapters. For the >>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' >>>> ({..., 'auto-login' : true }?). If it's enabled and the first request is >>>> to an unsecured resource it would redirect to 'auth/login?prompt=none'. >>>> I'm happy to add a proposal to the AS7 adapter if you'd like. >>>> >>> >>> I don't think this approach can work very well in old-school web apps, >>> if at all. For pure Servlet apps you're either accessing a secure area >>> or you're not. A URL can't be both secure and unsecure at the same >>> time. Plus, if you have any kind of latency, a full browser redirect >>> just to check if you're logged in with the auth-server is going to be >>> pretty ugly. >>> >>> The application adapter *DOES* still need an amILoggedIn REST call. By >>> default it should just return: >>> >>> { >>> "loggedIn" : true, >>> "user" : "wburke" >>> } >>> >>> If you set a flag in resteasy-oauth.json, it will also contain the >>> access token >>> >>> { >>> loggedIn : true, >>> "user" : "wburke", >>> "token" : "asdfasdfasdfqwerqwer" >>> } >>> >>> amILoggedIn would be authenticated by a http-only cookie. >>> >>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM >>>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>>> logged into realm >>>>> >>>>> I guess I see what you mean. You want to be able to show a >>>>> login/register links on the *application's* page and not just redirect >>>>> immediately to the keycloak screens when you first visit the page. I >>>>> guess I'm thinking too old school Java EE app that would automatically >>>>> bring you to the login screen if you access secured content. I feel >>>>> like a dinosaur sometimes. Too bad I still have 20 year until I retire. >>>>> >>>>> Apologies for wasting your time. >>>>> >>>>> Gonna have to figure out how to support this scenario for a traditional >>>>> web app too. >>>>> >>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>>>>> Yes I read your response and yes I have played with your demo. >>>>>> >>>>>> Let's then revisit this with the demo in mind, and you can tell me >>>>>> where >>>>>> I'm mistaken. >>>>>> >>>>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >>>>>> require the admin role and '/customers/*' requires the user role. If I >>>>>> click on a link taking me to any of these pages the adapter redirects >>>>>> me >>>>>> to the auth-server. In this case it works, as if I try to visit a >>>>>> private >>>>>> url I should be presented with a login form if I'm not already logged >>>>>> in. >>>>>> So there's no problem that the adapter automatically redirects me to >>>>>> the >>>>>> auth-server. >>>>>> >>>>>> Now, imagine that this is an real application. Where the front-page >>>>>> would, >>>>>> if the user is not logged in, show "Login" and "Register" links, and >>>>>> would >>>>>> not show links to pages that an anonymous user is not allowed to access >>>>>> (for example 'Customer Listing'). If a user is logged in the >>>>>> application >>>>>> would not show 'Login' and 'Register' but instead show 'Hello User, >>>>>> welcome back' and would include links to pages that particular user is >>>>>> allowed to access (for example if the current user had the role user, >>>>>> but >>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin >>>>>> Interface' >>>>>> link, would be displayed). >>>>>> >>>>>> How would I be able to implement that behaviour with the current way >>>>>> Keycloak works? >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application >>>>>>> when >>>>>>> logged into realm >>>>>>> >>>>>>> Did you even read my response? I completely mapped out the entire >>>>>>> flow >>>>>>> of how it works *now* in our demo and how it could work with a pure >>>>>>> HTML5 app. Go play with the demo to understand things better maybe? >>>>>>> >>>>>>> You talkd about this before: >>>>>>> > A company has an internal Keycloak server, they have a single >>>>>>> > realm >>>>>>> with multiple internal applications. All applications are hosted on >>>>>>> different servers. Let's imagine this company is called Red Hat. The >>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book some >>>>>>> long overdue holiday. He's not currently logged in to the realm so is >>>>>>> is >>>>>>> shown an anonymous access screen instead with a login link. Stian >>>>>>> presses login, fills in username and password and successfully logs in >>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has to >>>>>>> press the Login link, but doesn't have to provide a username or >>>>>>> password, but instead is simply redirected back to the application as >>>>>>> a >>>>>>> logged in user. Stian is actually a bit confused about this as he just >>>>>>> logged in to an application without providing a username or password. >>>>>>> >>>>>>> >>>>>>> >>>>>>> What you describe is not how our demo works nor will it ever work that >>>>>>> way. You log in once to the auth server, any app you visit knows who >>>>>>> you are. There's no need to click a "login" button when you visit a >>>>>>> new >>>>>>> site. HTML5 app would work exactly the same way as any of the WARs in >>>>>>> the Keycloak demo code except all the redirect and cookie processing >>>>>>> would happen within Javascript within the browser. There's just no >>>>>>> need >>>>>>> for your extra "no-forms" invocation! The login check is already >>>>>>> built >>>>>>> into the protocol. >>>>>>> >>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hat >>>>>>> http://bill.burkecentral.com >>>>>>> >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >