Re: [keycloak-dev] Automatically login user to application when logged into realm

By the way that's not how gmail.com works for me. I just tried to open gmail.com in an incognito window and was redirected to https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form. ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 24 October, 2013 1:13:40 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > Not to drag this on, but take a look at how google does it. > > If you are not logged in, and you go to gmail.com, you are redirected > immediately to accounts.google.com and you must log in there. After you > login you are redirected back to gmail.com. > > If you leave gmail.com and visit another website, then come back to > gmail.com, it does an immediate redirect to accounts.google.com which > then immediately redirects you back to gmail. > > So, I feel better. I'm not so old school... :). Google works pretty > much the same way the keycloak demo works. There is one difference > though that I i'm not sure if we should follow: I'm guessing that to > implement single sign off, Google will always redirect to > accounts.google.com to check to see if you're logged in when you visit a > google page. > > > On 10/24/2013 5:17 AM, Stian Thorgersen wrote: >> No worries, it's one of those things that happens with trying to explain >> something over email/IRC. >> >> I think it should be an optional feature support by all adapters. For the >> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' >> ({..., 'auto-login' : true }?). If it's enabled and the first request is >> to an unsecured resource it would redirect to 'auth/login?prompt=none'. >> I'm happy to add a proposal to the AS7 adapter if you'd like. >> > > I don't think this approach can work very well in old-school web apps, > if at all. For pure Servlet apps you're either accessing a secure area > or you're not. A URL can't be both secure and unsecure at the same > time. Plus, if you have any kind of latency, a full browser redirect > just to check if you're logged in with the auth-server is going to be > pretty ugly. > > The application adapter *DOES* still need an amILoggedIn REST call. By > default it should just return: > > { > "loggedIn" : true, > "user" : "wburke" > } > > If you set a flag in resteasy-oauth.json, it will also contain the > access token > > { > loggedIn : true, > "user" : "wburke", > "token" : "asdfasdfasdfqwerqwer" > } > > amILoggedIn would be authenticated by a http-only cookie. > > >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Wednesday, 23 October, 2013 10:01:41 PM >>> Subject: Re: [keycloak-dev] Automatically login user to application when >>> logged into realm >>> >>> I guess I see what you mean. You want to be able to show a >>> login/register links on the *application's* page and not just redirect >>> immediately to the keycloak screens when you first visit the page. I >>> guess I'm thinking too old school Java EE app that would automatically >>> bring you to the login screen if you access secured content. I feel >>> like a dinosaur sometimes. Too bad I still have 20 year until I retire. >>> >>> Apologies for wasting your time. >>> >>> Gonna have to figure out how to support this scenario for a traditional >>> web app too. >>> >>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>>> Yes I read your response and yes I have played with your demo. >>>> >>>> Let's then revisit this with the demo in mind, and you can tell me where >>>> I'm mistaken. >>>> >>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >>>> require the admin role and '/customers/*' requires the user role. If I >>>> click on a link taking me to any of these pages the adapter redirects me >>>> to the auth-server. In this case it works, as if I try to visit a private >>>> url I should be presented with a login form if I'm not already logged in. >>>> So there's no problem that the adapter automatically redirects me to the >>>> auth-server. >>>> >>>> Now, imagine that this is an real application. Where the front-page >>>> would, >>>> if the user is not logged in, show "Login" and "Register" links, and >>>> would >>>> not show links to pages that an anonymous user is not allowed to access >>>> (for example 'Customer Listing'). If a user is logged in the application >>>> would not show 'Login' and 'Register' but instead show 'Hello User, >>>> welcome back' and would include links to pages that particular user is >>>> allowed to access (for example if the current user had the role user, but >>>> not admin, only the 'Customer Listing', not the 'Customer Admin >>>> Interface' >>>> link, would be displayed). >>>> >>>> How would I be able to implement that behaviour with the current way >>>> Keycloak works? >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>>> logged into realm >>>>> >>>>> Did you even read my response? I completely mapped out the entire flow >>>>> of how it works *now* in our demo and how it could work with a pure >>>>> HTML5 app. Go play with the demo to understand things better maybe? >>>>> >>>>> You talkd about this before: >>>>> > A company has an internal Keycloak server, they have a single realm >>>>> with multiple internal applications. All applications are hosted on >>>>> different servers. Let's imagine this company is called Red Hat. The >>>>> user, let's call him Stian, first goes to the OrangeHRM to book some >>>>> long overdue holiday. He's not currently logged in to the realm so is is >>>>> shown an anonymous access screen instead with a login link. Stian >>>>> presses login, fills in username and password and successfully logs in >>>>> to the realm. Now Stian wants to go to docspace, again Stian has to >>>>> press the Login link, but doesn't have to provide a username or >>>>> password, but instead is simply redirected back to the application as a >>>>> logged in user. Stian is actually a bit confused about this as he just >>>>> logged in to an application without providing a username or password. >>>>> >>>>> >>>>> >>>>> What you describe is not how our demo works nor will it ever work that >>>>> way. You log in once to the auth server, any app you visit knows who >>>>> you are. There's no need to click a "login" button when you visit a new >>>>> site. HTML5 app would work exactly the same way as any of the WARs in >>>>> the Keycloak demo code except all the redirect and cookie processing >>>>> would happen within Javascript within the browser. There's just no need >>>>> for your extra "no-forms" invocation! The login check is already built >>>>> into the protocol. >>>>> >>>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >