Re: [keycloak-dev] Automatically login user to application when logged into realm

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, 24 October, 2013 1:56:29 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm Weird. Firefox 24 and IE 10 on Windows for me works the way I described. What do the logged HTTP requests look like? Does it go through accounts.google.com? On 10/24/2013 8:37 AM, Stian Thorgersen wrote: > By the way that's not how gmail.com works for me. I just tried to open > gmail.com in an incognito window and was redirected to > https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form. > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Thursday, 24 October, 2013 1:13:40 PM >> Subject: Re: [keycloak-dev] Automatically login user to application when >> logged into realm >> >> Not to drag this on, but take a look at how google does it. >> >> If you are not logged in, and you go to gmail.com, you are redirected >> immediately to accounts.google.com and you must log in there. After you >> login you are redirected back to gmail.com. >> >> If you leave gmail.com and visit another website, then come back to >> gmail.com, it does an immediate redirect to accounts.google.com which >> then immediately redirects you back to gmail. >> >> So, I feel better. I'm not so old school... :). Google works pretty >> much the same way the keycloak demo works. There is one difference >> though that I i'm not sure if we should follow: I'm guessing that to >> implement single sign off, Google will always redirect to >> accounts.google.com to check to see if you're logged in when you visit a >> google page. >> >> >> On 10/24/2013 5:17 AM, Stian Thorgersen wrote: >>> No worries, it's one of those things that happens with trying to explain >>> something over email/IRC. >>> >>> I think it should be an optional feature support by all adapters. For the >>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' >>> ({..., 'auto-login' : true }?). If it's enabled and the first request is >>> to an unsecured resource it would redirect to 'auth/login?prompt=none'. >>> I'm happy to add a proposal to the AS7 adapter if you'd like. >>> >> >> I don't think this approach can work very well in old-school web apps, >> if at all. For pure Servlet apps you're either accessing a secure area >> or you're not. A URL can't be both secure and unsecure at the same >> time. Plus, if you have any kind of latency, a full browser redirect >> just to check if you're logged in with the auth-server is going to be >> pretty ugly. >> >> The application adapter *DOES* still need an amILoggedIn REST call. By >> default it should just return: >> >> { >> "loggedIn" : true, >> "user" : "wburke" >> } >> >> If you set a flag in resteasy-oauth.json, it will also contain the >> access token >> >> { >> loggedIn : true, >> "user" : "wburke", >> "token" : "asdfasdfasdfqwerqwer" >> } >> >> amILoggedIn would be authenticated by a http-only cookie. >> >> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: keycloak-dev(a)lists.jboss.org >>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM >>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>> logged into realm >>>> >>>> I guess I see what you mean. You want to be able to show a >>>> login/register links on the *application's* page and not just redirect >>>> immediately to the keycloak screens when you first visit the page. I >>>> guess I'm thinking too old school Java EE app that would automatically >>>> bring you to the login screen if you access secured content. I feel >>>> like a dinosaur sometimes. Too bad I still have 20 year until I retire. >>>> >>>> Apologies for wasting your time. >>>> >>>> Gonna have to figure out how to support this scenario for a traditional >>>> web app too. >>>> >>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>>>> Yes I read your response and yes I have played with your demo. >>>>> >>>>> Let's then revisit this with the demo in mind, and you can tell me >>>>> where >>>>> I'm mistaken. >>>>> >>>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >>>>> require the admin role and '/customers/*' requires the user role. If I >>>>> click on a link taking me to any of these pages the adapter redirects >>>>> me >>>>> to the auth-server. In this case it works, as if I try to visit a >>>>> private >>>>> url I should be presented with a login form if I'm not already logged >>>>> in. >>>>> So there's no problem that the adapter automatically redirects me to >>>>> the >>>>> auth-server. >>>>> >>>>> Now, imagine that this is an real application. Where the front-page >>>>> would, >>>>> if the user is not logged in, show "Login" and "Register" links, and >>>>> would >>>>> not show links to pages that an anonymous user is not allowed to access >>>>> (for example 'Customer Listing'). If a user is logged in the >>>>> application >>>>> would not show 'Login' and 'Register' but instead show 'Hello User, >>>>> welcome back' and would include links to pages that particular user is >>>>> allowed to access (for example if the current user had the role user, >>>>> but >>>>> not admin, only the 'Customer Listing', not the 'Customer Admin >>>>> Interface' >>>>> link, would be displayed). >>>>> >>>>> How would I be able to implement that behaviour with the current way >>>>> Keycloak works? >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>>>> Subject: Re: [keycloak-dev] Automatically login user to application >>>>>> when >>>>>> logged into realm >>>>>> >>>>>> Did you even read my response? I completely mapped out the entire >>>>>> flow >>>>>> of how it works *now* in our demo and how it could work with a pure >>>>>> HTML5 app. Go play with the demo to understand things better maybe? >>>>>> >>>>>> You talkd about this before: >>>>>> > A company has an internal Keycloak server, they have a single >>>>>> > realm >>>>>> with multiple internal applications. All applications are hosted on >>>>>> different servers. Let's imagine this company is called Red Hat. The >>>>>> user, let's call him Stian, first goes to the OrangeHRM to book some >>>>>> long overdue holiday. He's not currently logged in to the realm so is >>>>>> is >>>>>> shown an anonymous access screen instead with a login link. Stian >>>>>> presses login, fills in username and password and successfully logs in >>>>>> to the realm. Now Stian wants to go to docspace, again Stian has to >>>>>> press the Login link, but doesn't have to provide a username or >>>>>> password, but instead is simply redirected back to the application as >>>>>> a >>>>>> logged in user. Stian is actually a bit confused about this as he just >>>>>> logged in to an application without providing a username or password. >>>>>> >>>>>> >>>>>> >>>>>> What you describe is not how our demo works nor will it ever work that >>>>>> way. You log in once to the auth server, any app you visit knows who >>>>>> you are. There's no need to click a "login" button when you visit a >>>>>> new >>>>>> site. HTML5 app would work exactly the same way as any of the WARs in >>>>>> the Keycloak demo code except all the redirect and cookie processing >>>>>> would happen within Javascript within the browser. There's just no >>>>>> need >>>>>> for your extra "no-forms" invocation! The login check is already >>>>>> built >>>>>> into the protocol. >>>>>> >>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com