Re: [keycloak-dev] Automatically login user to application when logged into realm

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, 24 October, 2013 4:16:44 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 24 October, 2013 2:52:59 PM > Subject: Re: [keycloak-dev] Automatically login user to application when > logged into realm > > Yeah, I saw amazon example. I think your amazon example is different > because they don't have to worry about single sign on. Amazon has SSO with LoveFilm! Are you really still claiming that the use-case I have where an application wants to do single-sign-on and have pages that adapt to whether or not a user is logged in (instead of simply showing a login form) is not something people are going to want to do? That's certainly how I would like my web apps to work if I was writing them. > > The current keycloak application adapter build on top of servlet > security and only requires a valve and the keycloak configuration file > and it just works. The style you are talking about would have to bypass > servlet security entirely and require custom application code to work. > This is why I don't think it should be promoted as a preferred solution. No it doesn't. The front-page for an application could have the following JSP code: <% if(request.getUserPrincipal() != null) { %> <h2>Hello <%=request.getUserPrincipal%></h2> <% } else { <% <h2>Click here to <a href="...">login</a></h2> %> <ul class="menu"> <li><a href="public/index.html">Some public page</a></li> <% if(request.getUserPrincipal() != null) { <li><a href="private/index.html">Some restricted page</a></li> } %> When opening the front-page the prompt=none would be used to login a user if the user is already logged in to the realm. If the user visits 'private/index.html' first, then it should result in the login form if the user is not already logged in, so in this case prompt=none wouldn't be used. > > The preferred solution should be a server-side driven authentication > with private client credentials for both javascript and old-school apps. > For Servlet environments, the constraints of servlet security should > be used to keep setup simple. > > > On 10/24/2013 9:00 AM, Stian Thorgersen wrote: > > Yes it goes through accounts.google.com. Google often have different > > regional behaviour though. > > > > Did you see the amazon example I wrote before? Did the same mistake of > > replying twice again :/ > > > > ----- Original Message ----- > >> From: "Bill Burke" <bburke(a)redhat.com&gt; > >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >> Cc: keycloak-dev(a)lists.jboss.org > >> Sent: Thursday, 24 October, 2013 1:56:29 PM > >> Subject: Re: [keycloak-dev] Automatically login user to application when > >> logged into realm > >> > >> Weird. Firefox 24 and IE 10 on Windows for me works the way I > >> described. What do the logged HTTP requests look like? Does it go > >> through accounts.google.com? > >> > >> On 10/24/2013 8:37 AM, Stian Thorgersen wrote: > >>> By the way that's not how gmail.com works for me. I just tried to open > >>> gmail.com in an incognito window and was redirected to > >>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login > >>> form. > >>> > >>> ----- Original Message ----- > >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; > >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>> Cc: keycloak-dev(a)lists.jboss.org > >>>> Sent: Thursday, 24 October, 2013 1:13:40 PM > >>>> Subject: Re: [keycloak-dev] Automatically login user to application > >>>> when > >>>> logged into realm > >>>> > >>>> Not to drag this on, but take a look at how google does it. > >>>> > >>>> If you are not logged in, and you go to gmail.com, you are redirected > >>>> immediately to accounts.google.com and you must log in there. After > >>>> you > >>>> login you are redirected back to gmail.com. > >>>> > >>>> If you leave gmail.com and visit another website, then come back to > >>>> gmail.com, it does an immediate redirect to accounts.google.com which > >>>> then immediately redirects you back to gmail. > >>>> > >>>> So, I feel better. I'm not so old school... :). Google works pretty > >>>> much the same way the keycloak demo works. There is one difference > >>>> though that I i'm not sure if we should follow: I'm guessing that to > >>>> implement single sign off, Google will always redirect to > >>>> accounts.google.com to check to see if you're logged in when you visit > >>>> a > >>>> google page. > >>>> > >>>> > >>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote: > >>>>> No worries, it's one of those things that happens with trying to > >>>>> explain > >>>>> something over email/IRC. > >>>>> > >>>>> I think it should be an optional feature support by all adapters. For > >>>>> the > >>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' > >>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request > >>>>> is > >>>>> to an unsecured resource it would redirect to > >>>>> 'auth/login?prompt=none'. > >>>>> I'm happy to add a proposal to the AS7 adapter if you'd like. > >>>>> > >>>> > >>>> I don't think this approach can work very well in old-school web apps, > >>>> if at all. For pure Servlet apps you're either accessing a secure > >>>> area > >>>> or you're not. A URL can't be both secure and unsecure at the same > >>>> time. Plus, if you have any kind of latency, a full browser redirect > >>>> just to check if you're logged in with the auth-server is going to be > >>>> pretty ugly. > >>>> > >>>> The application adapter *DOES* still need an amILoggedIn REST call. > >>>> By > >>>> default it should just return: > >>>> > >>>> { > >>>> "loggedIn" : true, > >>>> "user" : "wburke" > >>>> } > >>>> > >>>> If you set a flag in resteasy-oauth.json, it will also contain the > >>>> access token > >>>> > >>>> { > >>>> loggedIn : true, > >>>> "user" : "wburke", > >>>> "token" : "asdfasdfasdfqwerqwer" > >>>> } > >>>> > >>>> amILoggedIn would be authenticated by a http-only cookie. > >>>> > >>>> > >>>>> ----- Original Message ----- > >>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; > >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>>> Cc: keycloak-dev(a)lists.jboss.org > >>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM > >>>>>> Subject: Re: [keycloak-dev] Automatically login user to application > >>>>>> when > >>>>>> logged into realm > >>>>>> > >>>>>> I guess I see what you mean. You want to be able to show a > >>>>>> login/register links on the *application's* page and not just > >>>>>> redirect > >>>>>> immediately to the keycloak screens when you first visit the page. > >>>>>> I > >>>>>> guess I'm thinking too old school Java EE app that would > >>>>>> automatically > >>>>>> bring you to the login screen if you access secured content. I feel > >>>>>> like a dinosaur sometimes. Too bad I still have 20 year until I > >>>>>> retire. > >>>>>> > >>>>>> Apologies for wasting your time. > >>>>>> > >>>>>> Gonna have to figure out how to support this scenario for a > >>>>>> traditional > >>>>>> web app too. > >>>>>> > >>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: > >>>>>>> Yes I read your response and yes I have played with your demo. > >>>>>>> > >>>>>>> Let's then revisit this with the demo in mind, and you can tell me > >>>>>>> where > >>>>>>> I'm mistaken. > >>>>>>> > >>>>>>> I visit http://localhost:8080/customer-portal/. The urls > >>>>>>> '/admins/*' > >>>>>>> require the admin role and '/customers/*' requires the user role. > >>>>>>> If > >>>>>>> I > >>>>>>> click on a link taking me to any of these pages the adapter > >>>>>>> redirects > >>>>>>> me > >>>>>>> to the auth-server. In this case it works, as if I try to visit a > >>>>>>> private > >>>>>>> url I should be presented with a login form if I'm not already > >>>>>>> logged > >>>>>>> in. > >>>>>>> So there's no problem that the adapter automatically redirects me > >>>>>>> to > >>>>>>> the > >>>>>>> auth-server. > >>>>>>> > >>>>>>> Now, imagine that this is an real application. Where the front-page > >>>>>>> would, > >>>>>>> if the user is not logged in, show "Login" and "Register" links, > >>>>>>> and > >>>>>>> would > >>>>>>> not show links to pages that an anonymous user is not allowed to > >>>>>>> access > >>>>>>> (for example 'Customer Listing'). If a user is logged in the > >>>>>>> application > >>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User, > >>>>>>> welcome back' and would include links to pages that particular user > >>>>>>> is > >>>>>>> allowed to access (for example if the current user had the role > >>>>>>> user, > >>>>>>> but > >>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin > >>>>>>> Interface' > >>>>>>> link, would be displayed). > >>>>>>> > >>>>>>> How would I be able to implement that behaviour with the current > >>>>>>> way > >>>>>>> Keycloak works? > >>>>>>> > >>>>>>> ----- Original Message ----- > >>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; > >>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>>>>> Cc: keycloak-dev(a)lists.jboss.org > >>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM > >>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to > >>>>>>>> application > >>>>>>>> when > >>>>>>>> logged into realm > >>>>>>>> > >>>>>>>> Did you even read my response? I completely mapped out the entire > >>>>>>>> flow > >>>>>>>> of how it works *now* in our demo and how it could work with a > >>>>>>>> pure > >>>>>>>> HTML5 app. Go play with the demo to understand things better > >>>>>>>> maybe? > >>>>>>>> > >>>>>>>> You talkd about this before: > >>>>>>>> > A company has an internal Keycloak server, they have a > >>>>>>>> > single > >>>>>>>> > realm > >>>>>>>> with multiple internal applications. All applications are hosted > >>>>>>>> on > >>>>>>>> different servers. Let's imagine this company is called Red Hat. > >>>>>>>> The > >>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book > >>>>>>>> some > >>>>>>>> long overdue holiday. He's not currently logged in to the realm so > >>>>>>>> is > >>>>>>>> is > >>>>>>>> shown an anonymous access screen instead with a login link. Stian > >>>>>>>> presses login, fills in username and password and successfully > >>>>>>>> logs > >>>>>>>> in > >>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has > >>>>>>>> to > >>>>>>>> press the Login link, but doesn't have to provide a username or > >>>>>>>> password, but instead is simply redirected back to the application > >>>>>>>> as > >>>>>>>> a > >>>>>>>> logged in user. Stian is actually a bit confused about this as he > >>>>>>>> just > >>>>>>>> logged in to an application without providing a username or > >>>>>>>> password. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> What you describe is not how our demo works nor will it ever work > >>>>>>>> that > >>>>>>>> way. You log in once to the auth server, any app you visit knows > >>>>>>>> who > >>>>>>>> you are. There's no need to click a "login" button when you visit > >>>>>>>> a > >>>>>>>> new > >>>>>>>> site. HTML5 app would work exactly the same way as any of the > >>>>>>>> WARs > >>>>>>>> in > >>>>>>>> the Keycloak demo code except all the redirect and cookie > >>>>>>>> processing > >>>>>>>> would happen within Javascript within the browser. There's just no > >>>>>>>> need > >>>>>>>> for your extra "no-forms" invocation! The login check is already > >>>>>>>> built > >>>>>>>> into the protocol. > >>>>>>>> > >>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Bill Burke > >>>>>>>> JBoss, a division of Red Hat > >>>>>>>> http://bill.burkecentral.com > >>>>>>>> > >>>>>> > >>>>>> -- > >>>>>> Bill Burke > >>>>>> JBoss, a division of Red Hat > >>>>>> http://bill.burkecentral.com > >>>>>> > >>>> > >>>> -- > >>>> Bill Burke > >>>> JBoss, a division of Red Hat > >>>> http://bill.burkecentral.com > >>>> > >> > >> -- > >> Bill Burke > >> JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev