Keycloak login without redirect to external login page
by Wojciech Trocki
I'm investigating possible options for creating javascript client that will
help mobile developers (cordova, react native) to integrate with keycloak.
The main idea will be to mimic other solutions that allow to login to the
auth server using single method (instead of redirecting to the login page)
For example:
*authbase.auth().signInWithEmailAndPassword(email, password).then(...);*
JavaScript adapter from keycloak team works fine for both Android and IOS,
but mounting login page in webview and styling login page, may be barrier
for the developers starting with keycloak.
*Questions:*
1) Is possible to use keycloak without redirect to keycloak login page?
2) Do you have any suggestions for areas were mobile experience can be
improved?
This topic was raised before on both dev and users lists before, but
without definitive answer[1]
I'm looking for any information that may be helpful.
[1] http://lists.jboss.org/pipermail/keycloak-user/2016-November/008295.html
--
WOJCIECH TROCKI
Red Hat Mobile <https://www.redhat.com/>
IM: wtrocki
<https://red.ht/sig>
6 years, 4 months
Adding a custom field to OIDC/SAML provider setup
by John Eckhart
I would like to add a custom field/property/attribute to an OIDC or SAML
provider and I'm looking for a few pointers.
The use-case is to have many identity providers configured in Keycloak and
prompt the user to enter their email address to determine which IdP to
redirect the user. Each IdP would have one email suffix that it provides
logins for (this would be the custom field). This is a similar flow to
Microsoft's Office 365 and OpsGenie's federated login.
Although this could be implemented outside of Keycloak, ideally we could
contain this as a custom Rest API added to KC while extending a theme and
SPI reusing as much as possible inside Keycloak.
Any thoughts/tips are much appreciated.
6 years, 5 months
Why are offline sessions imported?
by Bill Burke
I'm working on:
https://issues.jboss.org/browse/KEYCLOAK-5350
This can be fixed by having a try/catch block when loading a user
within JpaUserSessionPersisterProvider.loadUserSessions() and skipping
that particular offline token.
My question is, Why are offline tokens "imported" into the user
session cache at boot? Why aren't they just pulled on demand (i.e. a
refresh token request)? Imagine booting keycloak when LDAP is down (as
per the JIRA above). The fix will allow Keycloak to boot, but all
offline tokens originating from this LDAP will no longer work.
Keycloak would need to be restarted after LDAP is back up in order for
any offline tokens to work again.
--
Bill Burke
Red Hat
6 years, 5 months
Feature request: Internal Token to External Token Exchange with automatic user linking in the External realm
by Gael THIABAUD
Dear Keycloak team,
The current usage of " Internal Token to External Token Exchange" is based on the fact that the user in the "external" realm was previously linked with the "Internal" Realm.
The current implementation of Client Initiated Account Linking is taking care only of the request coming from a Web Browser.
I need to have it working if the requester is an application backend.
Eg: A back end of a web application need to use a REST service that is not managed by the same realm.
USER --> Web APP -redirect->KC Realm A -Credential request-> USER -credentials> KC Realm A -token & redirect -> USER -redirect-> Web APP - Internal to External Token Exchange -> KC Realm A -request token exchange > KC Realm B - create user from token -> KC Realm B -Realm B Token -> KC Realm A -> Web APP - Realm B Token in bearer mode -> REST server depending of Realm B
Is my use case clear ?
Do you have a proposal ?
Can we help for the implementation ?
Regards
Gaël THIABAUD
Direction Technique
mailto:gael.thiabaud@almerys.com
Téléphone: 04 73 74 82 84
almerys, 46 Rue du Ressort, 63967 Clermont-Ferrand Cedex 9
www.almerys.com
Scrum Master
6 years, 5 months
Is there a way to log the details from ErrorResponseExceptions?
by Jared Blashka
Some of our clients are generating many REFRESH_TOKEN_ERROR events but I
don't see anywhere that the error description from the exception is
logged/stored. The keycloak event itself only says 'invalid token', but I'd
like to see the '{"error":"invalid_grant","error_description":"Session not
active"}' details as well to be able to provide specific guidance around
why their refresh calls are failing.
I tried registering an Exception Mapper provider, but it doesn't looks like
that's supported yet (
http://lists.jboss.org/pipermail/keycloak-dev/2016-June/007361.html).
We're running RH-SSO 7.1.3.
Thanks!
Jared Blashka
Red Hat
6 years, 5 months
