Re: [keycloak-dev] Login with Access Token

From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 16 December, 2014 12:42:26 PM Subject: Re: [keycloak-dev] Login with Access Token Is there a JIRA issue for that feature? I would like to help with this regard since I really would like to see support for that in an upcoming release.

Mit freundlichen Grüßen, ------------------------------------------------------------------------ *Christian Beikov* Am 03.12.2014 um 12:31 schrieb Stian Thorgersen: > Just thought of a reason why it won't work. The link to login with Facebook > is to the Keycloak server, which then sets the required state before > redirecting to Facebook. > > ----- Original Message ----- >> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >> To: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Wednesday, 3 December, 2014 12:30:03 PM >> Subject: Re: [keycloak-dev] Login with Access Token >> >> The callback to Keycloak expects a code, not a token, so I don't think it >> would work unless you modify Keycloak's Facebook provider. I can't think >> of >> any other reasons why it wouldn't work. >> >> ----- Original Message ----- >>> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Wednesday, 3 December, 2014 11:04:05 AM >>> Subject: Re: [keycloak-dev] Login with Access Token >>> >>> I was thinking of something like the following as a workaround >>> >>> 1. Create a hidden iframe in a webview that navigates to the login page >>> of >>> the keycloak server. >>> 2. Extract the state from the link of the Facebook login >>> 3. Start the login with the native SDK >>> 4. On success navigate in the iframe to the social callback >>> 5. Use some keycloak token to act as the logged in user >>> >>> Regarding 4. I am not sure what URL I should invoke exactly. I guess I >>> have >>> to append the state parameter to it, but I couldn't find out exactly and >>> I >>> haven't debugged that far yet. >>> Regarding 5. I don't know how to retrieve that keycloak token from the >>> iframe, but I hope there is a way. >>> >>> For this to work I will probably have to add some CORS http headers that >>> will allow localhost so that the app can access the iframe. Although this >>> makes it vulnerable, since every localhost app could then "steal" the >>> keycloak token, it would do the job for now. >>> >>> What do you think? Could that work? >>> >>> 2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: >>> >>>> Keycloak generates a special state parameter. It consists of two parts, >>>> a >>>> signature and an id. The id is used to lookup a session in Keycloak, >>>> while >>>> the signature is then used to verify that specific request is valid (a >>>> session can only be used for one thing at a time, for example a social >>>> login). By design there's no way you can generate this yourself unless >>>> you >>>> have access to the Keycloak database. >>>> >>>> ----- Original Message ----- >>>>> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt;, keycloak-dev(a)lists.jboss.org >>>>> Sent: Wednesday, 3 December, 2014 9:33:20 AM >>>>> Subject: Re: [keycloak-dev] Login with Access Token >>>>> >>>>> I am wondering how you do that. I know that there is a state parameter >>>> that >>>>> is added to the facebook login url, but I could just make an initial >>>>> request to keycloak to copy that, or did I understand something wrong? >>>>> >>>>> 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: >>>>> >>>>>> It's code that is currently changing as we're working on adding >>>> enterprise >>>>>> IdP's as well as social IdP's we have at the moment. >>>>>> >>>>>> I think the correct approach would be to use the direct grant api, >>>> which >>>>>> currently lets you exchange a username + password for a Keycloak >>>> token, we >>>>>> could add an option here to pass in a token from an external IdP to >>>>>> exchange for a internal Keycloak token. If you're interested in >>>> looking at >>>>>> the code look at OpenIDConnectService.grantAccessToken. >>>>>> >>>>>> There's no work-around that you can do due to security restrictions >>>>>> in >>>>>> Keycloak. Keycloak makes sure that the callback can only be called if >>>> it >>>>>> indeed made the original request. >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>> Sent: Wednesday, 3 December, 2014 9:11:55 AM >>>>>>> Subject: Re: [keycloak-dev] Login with Access Token >>>>>>> >>>>>>> Thanks for the quick answer. Could you maybe give me a hint on how >>>>>>> I >>>>>> could >>>>>>> implement that in a quick-and-dirty way? Could I maybe do some >>>>>>> iframe >>>>>> magic >>>>>>> in a hidden webview to do the login? I am not quite sure how the >>>> social >>>>>>> login works exactly. Facebook will redirect me back to the social >>>>>> callback >>>>>>> address after a login, but how does keycloak actually retrieve that >>>>>> access >>>>>>> token? If I knew that, I could maybe create a workaround for now >>>>>>> and >>>>>> maybe >>>>>>> also contribute something? :) >>>>>>> >>>>>>> 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: >>>>>>> >>>>>>>> >>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >>>>>>>>> To: keycloak-dev(a)lists.jboss.org >>>>>>>>> Sent: Tuesday, 2 December, 2014 6:58:42 PM >>>>>>>>> Subject: [keycloak-dev] Login with Access Token >>>>>>>>> >>>>>>>>> Hello! >>>>>>>>> >>>>>>>>> I am new to OAuth so sorry if my question is dumb. >>>>>>>>> I have an App which wants to provide a custom and Facebook >>>>>>>>> login. >>>>>> Since >>>>>>>> many >>>>>>>>> people already have the Facebook App installed, I thought it >>>> might be >>>>>>>> better >>>>>>>>> to give them the native experience and use the Facebook SDK to >>>>>> implement >>>>>>>> the >>>>>>>>> login. >>>>>>>>> The problem now is, that I have the Access Token from the >>>> successful >>>>>>>> Facebook >>>>>>>>> login, but don't know how to properly login at the Keycloak >>>> server >>>>>> with >>>>>>>>> that. >>>>>>>>> >>>>>>>>> Any ideas on how to do that? Or is that even stupid and is >>>>>>>>> there >>>> a >>>>>> better >>>>>>>>> way? >>>>>>>> Not at all a dumb question and we actually had someone else ask >>>>>>>> the >>>>>> same >>>>>>>> last week. >>>>>>>> >>>>>>>> Currently, Keycloak does not support this flow, but it something >>>> we may >>>>>>>> consider adding. >>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> Mit freundlichen Grüßen, >>>>>>>>> >>>>>>>>> Christian Beikov >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-dev mailing list >>>>>>>>> keycloak-dev(a)lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Mit freundlichen Grüßen, >>>>>>> >>>>>>> >>>>>>> *Christian Beikov*Blazebit Design & Developing >>>>>>> http://www.blazebit.com >>>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Mit freundlichen Grüßen, >>>>> >>>>> >>>>> *Christian Beikov*Blazebit Design & Developing >>>>> http://www.blazebit.com >>>>> >>> >>> >>> -- >>> >>> Mit freundlichen Grüßen, >>> >>> >>> *Christian Beikov*Blazebit Design & Developing >>> http://www.blazebit.com >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev