Realm login page "Powered By Keycloak"
by Bill Burke
We'll need a small icon or text at bottom of Realm login page that says
"Powered By Keycloak". This is because we'll be having social logins
use a global Keycloak social account by default and the user will need
to make the mental association if they ever want to revoke priviledges.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 9 months
Re: [keycloak-dev] Pulling stuff from IdentityBroker and next steps....
by Bill Burke
What I'd really like to do is to get the protocol and flows working
before focusing on the admin UI and REST interface for it. I have SSO
login working. Working on Single Log Out today. Then OAuth grants.
I'm working from a demo under /examples/as7-eap6. It requires you to
install Resteasy 3.0.2 on top of EAP 6.1, then run mvn jboss-as:deploy.
I'm committing and merging every time I get something new working.
If I can get logout, and OAuth finished by Monday, we can have a hangout
to discuss how we can fit Social into this flow. Hopefully after the
meeting you can focus on getting social to work and I can then work on
the backend some more to get it working with the latest Picketlink that
was released today.
On 7/26/2013 9:37 AM, Stian Thorgersen wrote:
> So that completes the pulling stuff from IdentityBroker task.. Now we need to look at how to integrate the pieces.
>
> UI
> --
> For UI there's a dummy REST resource (org.keycloak.ui.example.Admin) that we could use as a starting point for defining the real admin REST endpoints for Keycloak.
>
> Social
> ------
> Needs to be able to:
>
> * Retrieve information about the application (realm, provider key, provider secret, etc.)
> * Get/save/update users in IDM
> * Login and redirect back to application
>
> HTML SDK
> --------
> We didn't really get much value from IdentityBroker here. As you've suggested it would probably be safest to use a server-side solution for the login/registration forms.
>
> It would be good to have a Hangout early next week to discuss the next steps. In the mean time I can have a look at improving the login/registration forms.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 9 months
UI pulled from IdentityBroker
by Stian Thorgersen
I've pulled in the Admin UI from IdentityBroker. It's updated to match the current details required for applications and realms, including support for roles and role mappings.
For the time being it uses a dummy REST endpoint that is defined in the UI module itself, so it's possible to try it out and play with it, but it obviously won't configure the actual Keycloak server at the moment.
10 years, 9 months
redirects vs. javascript logins
by Bill Burke
To do SSO, keycloak server sets a session cookie so that the user
doesn't have to relogin if the cookie is set. This will have issues
with the custom login, like the way the Event Juggler app works.
Correct me if I'm wrong, but for Event Juggler, the login page is hosted
at the Event Juggler website? And the app would do an HTTP invocation
to obtain the token, correct?
The problem with this approach is that we wouldn't be able to set the
login session cookie as all cookies will be HttpOnly and not accessible
via javascript (due to security issues). So, SSO would not work, and
the user would have to relogin for each additional site they visited.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 9 months
vanilla vs. javascript login page
by Bill Burke
It will be great to use angular, et. al. to build the admin console.
But, should we avoid Javascript for the login page? I'm thinking of
older browsers and the tightrope you have to walk there to make sure
everything works...
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 9 months
configuring social providers
by Bill Burke
In looking at your demo, is there any reason you need to define the
metadata for the social provider? Can't you either
a) Preconfigure Keycloak server with Twitter, Google+ account?
b) Automatically configure the social provider without user input.
Since Keycloak is already a broker, why does a user need to input any of
that metadata?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 9 months
Pulled in social from IdentityBroker
by Stian Thorgersen
I added social from IdentityBroker yesterday. It's not integrated with Keycloak yet, but there are todo comments in "org.keycloak.social.resources.SocialResource" that describes what's required to integrate it with Keycloak. Once things are ready and I know how to fill in the gaps I'll do so.
10 years, 9 months