Ignore HTML5 and JavaScript it has nothing to do with this issue!
See comment inline:
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 23 October, 2013 7:06:20 PM
Subject: Re: [keycloak-dev] Automatically login user to application when logged into
realm
On 10/23/2013 12:50 PM, Stian Thorgersen wrote:
> I don't see how that would work. The server-side adapter doesn't set a
> cookie until after the user has logged in (the cookie is also specific to
> the application). The only thing that knows if a user is logged in to the
> SSO realm is Keycloak itself. At the moment there's no way for an
> application (client or server side) to check this without ending up
> showing the login form if it isn't!
>
You don't need to know if you are logged into the auth-server. You just
need to know if you are logged into the application.
> What you want to be able to do is to have users automatically logged in to
> applications (on different servers, with different application
> credentials) once a user has logged in to a single application.
>
> Either I've failed to explain the use-case properly, or there's something
> about what you're proposing I'm not understanding. Just to make sure
I'm
> explaining the use-case properly, I'll try again:
>
> A company has an internal Keycloak server, they have a single realm with
> multiple internal applications. All applications are hosted on different
> servers. Let's imagine this company is called Red Hat. The user, let's
> call him Stian, first goes to the OrangeHRM to book some long overdue
> holiday. He's not currently logged in to the realm so is is shown an
> anonymous access screen instead with a login link. Stian presses login,
> fills in username and password and successfully logs in to the realm. Now
> Stian wants to go to docspace, again Stian has to press the Login link,
> but doesn't have to provide a username or password, but instead is simply
> redirected back to the application as a logged in user. Stian is actually
> a bit confused about this as he just logged in to an application without
> providing a username or password.
>
The demo currently works like this:
1. User access app1
2. User redirected to auth-server
3. Auth-server logs in sets cookie for
auth-server.com
4. auth-server redirects back to app1
5. App1 gets access token
6. App1 does role mappings stores in HttpSession
7. App1 knows user is logged in because of HttpSession (standard Servlet
stuff)
8. User visits app2
9. App2 redirects to auth-server
This is where the problem lies. If the user is not logged in to the realm the login form
will be displayed. So you can not automatically redirect the user to the auth-server! You
would have to wait until the user clicks on the login link. This means if there's 10
apps the user has to click on login 10 times!
10. auth-server sees
auth-server.com domain login cookie, redirects
back
to app2
11. user can access app2 right away without credentials.
12. user goes back to app1. User is still logged in there because the
HttpSession is still valid
Now add your HTML5 app. HTML5 will also need to maintain a "session".
I can do this via a session cookie for HTML5's domain
12. User visits HTML5, HTML5 looks for a session loggin cookie for
HTML5's domain. Doesn't find one, so it automatically redirects to
auth-server
13. Auth-server sees user is already logged in, redirects back to HTML5 app
14. HTML5 app gets access token, sets a session loggin cookie
15. User goes back to App2. App2 knows user is logged in because of
App2 session cookie.
16. user goes back to HTML5. HTML5 app knows user is logged in because
of session cookie
15. HTML 5 app wants to logout and login as a different user
16. Logout action dumps the HTML5-domain session cookie
17. Logout action sends CORS HTTP request to auth-server to logout user
cross-domain. Auth-server invalidates auth-server session cookie on
response.
HTML5 clients are allowed to set cookies.
The HTML5 app would work exactly the same as servlet security except the
browser would handle all the authentication within javascript. There's
improvements we need to make with refresh tokens, but the core of the
protocol is there.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com