What's wrong? The fact you have to cut and paste a code from the
browser to the app.
On 7/20/17 9:04 AM, Thomas Darimont wrote:
Will there also be support for desktop apps in some way?
What in particular do you think is the problem with the approach used
by the keycloak-installed adapter
and OAuth device flow, guessing you mean:
2017-07-19 16:31 GMT+02:00 Bill Burke <bburke(a)redhat.com
I'm working on something for command line apps. A command-line
text/plain protocol so that login can happen within a console. I
think keycloak-installation or the OAuth device flow is really poor
On 7/18/17 9:42 AM, Thomas Darimont wrote:
> Hello folks,
> I played a bit with the undocumented?  keycloak-installed
> for integrating
> desktop applications with Keycloak SSO and found some issues
with it, which
> I'd like to share.
> Small explanation for those who are reading the list but don't
> adapter... 
> First some general notes / suggestions:
> Is the keycloak-installed adapter something that will stay in
> was this just a PoC?
> In the former case I think there are some things that could be
> extended a bit:
> - Allow users to customize the locale used for the login pages
> the adapter
> - Provide customizable response templates (perhaps by leveraging
> - Allow to customize pages shown after login / logout served by the
> keycloak-installed adapter
> - Add support for TLS (with custom certificates) for https://
> I noticed that some browsers (e.g. Chrome) show an error page
> redirect to the local mini-webserver after a successful login
> (...server-socket) embedded in the adapter doesn't respond with
> HTTP response.
> With that fixed, it worked with all browsers I tested (IE,
> My current modifications of the keycloak-installed adapter
> (with HTTP response fixes and response customizations) are here:
> An extended example (using the the modified keycloak-installed
> be found here:
>  Not mentioned here:
>  For those that haven't seen the adapter yet, it allows to
> against Keycloak
> from a desktop app (e.g. swing, javafx) by opening a desktop
> where a user
> uses the regular keycloak login pages to login.
> The trick is now that login page is opened with redirect URL
that points to
> a small local
> "web server" (server-socket) on a free ephemeral port which is
> the adapter.
> After logging in the mini web-server receives performs the
> code flow and eventually receives the tokens (access_token,
> id_token) which can then be
> used to call backend services from the client or retrieve new tokens
> A nice side effect of this is, that the desktop application
never sees a
> password and one can leverage existing SSO sessions.
> Btw. the google cloud cli uses the same approach to authenticate
> The Keycloak repo contains a small example for this:
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:email@example.com>
keycloak-dev mailing list