Usability in authentication flows
by Stian Thorgersen
With regards to usability in authentication flows I think we have 3 issues
that can be improved:
Improve error messages
--------------------------------
"Something has gone wrong" is not helpful to an end-user. In general we
need to review error messages, maybe also other messages, to make sure they
are useful in the eyes of an end-user and not a developer.
Escape option
-------------------
There should always be at least one escape option for a user. We should
make sure the client is always known. This can be done by adding the client
uuid to the client session code, which means it will be always be available
even if session has been cleared. As long as the client has set the base
url we can add a link to return the application.
As the logins are redirect based it's important to always be able to return
to the application, especially for consumer facing sites.
I'm not sure "back to application" is the best text though, but can't come
up with anything better ATM.
There's also several times in the flow it could be useful to have a
cancel/restart option to restart the flow. Again, I'm not sure what the
best text for the link is. "cancel" would suggest returning to the
application, not to restart the flow.
Back/refresh buttons
---------------------------
Using cache control it should be possible to always reload the page so when
a user clicks back the current page is just redisplayed.
8 years, 2 months
Keycloak and Angular, how to login after angular has been bootstrapped
by replymenot
Hi all,
Recently I attended a seminar on Keycloak and I was totally blown away. Loved it and it seems to be exactly what I need for my microservices architecture.
I use AngularJS as my front-end and I have this burning question.
How can I use Keycloak as security provider in a SPA after the angular app has already been bootstrapped?
The website I’m creating has anonymous and role based secure parts. So I only want login based on context and not on load.
I can’t seem te be able to find examples.
Right now I get the login from keycloack but after redirect my angular app is re-bootstrapped and I loose my login, because it is not part of my single page app...
Help will be appreciated.
Ivo.
8 years, 2 months
auth-server-url as a system variable
by Bruno Oliveira
Good morning, I've been working on some ideas for AeroGear, in order
to have UPS and Keycloak in a separated infrastructure. The reason why
this is not possible today, is pretty much related with design
decisions in the past for UPS.
Not sure if this makes some sense or was already discussed. But I was
wondering if we could change the adapters to load an environment
variable like ${keycloak.server.url}. The raw idea is pretty simple:
## Configure the system variable on Wildfly
$JBOSS_HOME/bin/jboss-cli.sh -c --controller=localhost:9992
--command="/system-property=keycloak.server.url:add(value=http://localhost:8083)"
Or just configuring it inside standalone.xml like Hawkular already
does (http://www.hawkular.org/docs/user/installation-guide.html#_preparing_the_...)
## Pass the variable as argument
{
"realm" : "aerogear",
"auth-server-url" : "${keycloak.server.url}",
"ssl-required" : "external",
"resource" : "unified-push-server",
"bearer-only" : true,
"disable-trust-manager" : true
}
I couldn't find any history related to this topic, besides this ticket
(https://issues.jboss.org/browse/KEYCLOAK-1289).
Do you think this is doable to implement? Or am I missing something?
--
- abstractj
8 years, 2 months
Problem with Keycloak 1.8.0.CR1 and Deltaspike
by Christian Beikov
Hello,
we have a problem since Keycloak 1.8.0.CR1 that we didn't have in
1.1.0.Final.
The problem appears when accessing a secured JSF page that uses
DeltaSpike. DeltaSpike redirects the initial request to append a query
param to the path called "dswid". When accesing a secured page, the
Keycloak adapter also does some redirects and adds the redirect uri,
this time the one already including the dswid, into the client session,
but redirects the browser to a URL that includes a redirect uri that
does not contain the dswid. The authentication process fails here:
https://github.com/keycloak/keycloak/blob/1.8.0.CR1/services/src/main/jav...
Since it worked earlier, I guess this is a bug. The actual problem is
the mismatch between the redirect uri stored in the session and the
redirect uri returned to the browser. Hope you can fix this for 1.8.0.Final
Regards,
Christian
8 years, 2 months
NO MORE import * please!
by Bill Burke
Please stop doing
import package.*;
All classes need to be listed. Nothing hidden by wildcards. One reason
for this is when people are browser code on github and they have an idea
how to find the class they are interested in.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 2 months
Relation to JSR-375
by Jorge Solórzano
Hi Keycloak developers,
How is related Keycloak to the JSR 375
<https://jcp.org/en/jsr/detail?id=375>: JavaTM EE Security API?
I can see that Darran Lofthouse and Pedro Igor Silva are part of the Expert
Group, and since this JSR overlap with many features of Keycloak (AFAIK) I
wish to know if Keycloak will implement this API or if this API is
unrelated to Keycloak.
What are the plans about it?
Regards,
Jorge Solórzano
http://www.jorsol.com
8 years, 2 months
Broker login events
by Stian Thorgersen
It seems like there's a bit of confusion with regards to what events should
be fired when a identity broker login occurs.
Initially it was LOGIN and auth_method was used to differentiate how the
user authenticated.
Then it was changed to IDENTITY_PROVIDER_LOGIN.
Now it seems to be back to LOGIN.
This is rather messy! Why has it been changed so much?
IMO it should as it was initially (LOGIN with auth_method). We also need to
make sure identity provider id and sub is included. The latter is missing
at the moment.
8 years, 2 months
Correcting French translation
by francois maturel
Hello,
First of all, thanks for your wonderfull work on keycloak!
We are a development team in France using keycloak since v1.2.
There are a number of mistranslations in current French
messages_fr.properties
Unicode characters like '\u00a9' are used, but they actually are the
'COPYRIGHT SIGN'
Some other messages are strangely translated ;)
Would you be interested in a PR correcting those messages?
Thanks
--
François Maturel
Cordialement,
François Maturel
8 years, 2 months