10:47 a.m.
Right,
Imagine this scenario:
An application (this can be a JSF or JS, or whatever) has a menu-bar that has options that
should only be shown to certain users, it also displays the username of the logged-in
user. A user that is not logged in to the SSO realm visits the application. The user then
clicks on Login and is redirected to the login form on the Keycloak server. The user logs
in and is redirected back to the application and can now see additional entries in the
menu.
Later another user that is already logged in to the SSO realm visits the same application.
The application can't automatically log this user in, as that would require
automatically redirecting the user to the login form on the Keycloak server. This would be
fine for this user as the user is already logged-in. However, that would break the
previous case where a user visited the application without being logged in to the SSO
realm.
Now, if there was an option to retrieve an access code (the proposal I've commited)
without showing the login form you could solve both cases. The application can
automatically log the user in to the application if already logged in to the SSO realm,
and wouldn't end up showing the login form if the user was not logged in (instead the
user would be redirected back to the application without being logged in, and able to
click on Login when he/she chooses to).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 22 October, 2013 4:35:51 PM
Subject: Re: [keycloak-dev] Automatically login user to application when logged into
realm
On 10/22/2013 11:22 AM, Stian Thorgersen wrote:
> Let's see if I can manage to explain this properly.
>
> The flow is:
>
> 1. Application redirects to '../auth/request/login'
> 1.1. If user is not logged in to realm display login form
> 1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already have
> grants display oauth grant page
> 2. If successful redirect to application with authorization code
> 3. Application retrieves access token from '../access/codes'
>
> With the current flow there is no way for an application to check if a user
> is already logged-in to the realm (+ grants given). So the only options
> would be to either:
>
I don't get why the application needs to check if the user is already
logged in. Just start the oauth flow by redirecting to the auth-server.
If the user is already logged in, then, keycloak *already* will create
an access code and redirect back to the redirect URL immediately.
I do not think you approach is correct at the moment.. IMO, what you
have to do is create a Javascript Application Adapter that can run in
the browser. It would work exactly like the JBoss Application adapter
except it would run within the browser.
ALl in all, IMO, you're still better off doing this flow on the server
side like the examples do. It is more secure as it doesn't require
public client/application credentials.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com