Re: [keycloak-dev] Login with Access Token

Just thought of a reason why it won't work. The link to login with Facebook is to the Keycloak server, which then sets the required state before redirecting to Facebook. ----- Original Message ----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > To: "Christian Beikov" <christian.beikov(a)gmail.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Wednesday, 3 December, 2014 12:30:03 PM > Subject: Re: [keycloak-dev] Login with Access Token > > The callback to Keycloak expects a code, not a token, so I don't think it > would work unless you modify Keycloak's Facebook provider. I can't think of > any other reasons why it wouldn't work. > > ----- Original Message ----- > > From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > Cc: keycloak-dev(a)lists.jboss.org > > Sent: Wednesday, 3 December, 2014 11:04:05 AM > > Subject: Re: [keycloak-dev] Login with Access Token > > > > I was thinking of something like the following as a workaround > > > > 1. Create a hidden iframe in a webview that navigates to the login page of > > the keycloak server. > > 2. Extract the state from the link of the Facebook login > > 3. Start the login with the native SDK > > 4. On success navigate in the iframe to the social callback > > 5. Use some keycloak token to act as the logged in user > > > > Regarding 4. I am not sure what URL I should invoke exactly. I guess I have > > to append the state parameter to it, but I couldn't find out exactly and I > > haven't debugged that far yet. > > Regarding 5. I don't know how to retrieve that keycloak token from the > > iframe, but I hope there is a way. > > > > For this to work I will probably have to add some CORS http headers that > > will allow localhost so that the app can access the iframe. Although this > > makes it vulnerable, since every localhost app could then "steal" the > > keycloak token, it would do the job for now. > > > > What do you think? Could that work? > > > > 2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: > > > > > Keycloak generates a special state parameter. It consists of two parts, a > > > signature and an id. The id is used to lookup a session in Keycloak, > > > while > > > the signature is then used to verify that specific request is valid (a > > > session can only be used for one thing at a time, for example a social > > > login). By design there's no way you can generate this yourself unless > > > you > > > have access to the Keycloak database. > > > > > > ----- Original Message ----- > > > > From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; > > > > To: "Stian Thorgersen" <stian(a)redhat.com&gt;, keycloak-dev(a)lists.jboss.org > > > > Sent: Wednesday, 3 December, 2014 9:33:20 AM > > > > Subject: Re: [keycloak-dev] Login with Access Token > > > > > > > > I am wondering how you do that. I know that there is a state parameter > > > that > > > > is added to the facebook login url, but I could just make an initial > > > > request to keycloak to copy that, or did I understand something wrong? > > > > > > > > 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: > > > > > > > > > It's code that is currently changing as we're working on adding > > > enterprise > > > > > IdP's as well as social IdP's we have at the moment. > > > > > > > > > > I think the correct approach would be to use the direct grant api, > > > which > > > > > currently lets you exchange a username + password for a Keycloak > > > token, we > > > > > could add an option here to pass in a token from an external IdP to > > > > > exchange for a internal Keycloak token. If you're interested in > > > looking at > > > > > the code look at OpenIDConnectService.grantAccessToken. > > > > > > > > > > There's no work-around that you can do due to security restrictions > > > > > in > > > > > Keycloak. Keycloak makes sure that the callback can only be called if > > > it > > > > > indeed made the original request. > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; > > > > > > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > > > > > > Sent: Wednesday, 3 December, 2014 9:11:55 AM > > > > > > Subject: Re: [keycloak-dev] Login with Access Token > > > > > > > > > > > > Thanks for the quick answer. Could you maybe give me a hint on how > > > > > > I > > > > > could > > > > > > implement that in a quick-and-dirty way? Could I maybe do some > > > > > > iframe > > > > > magic > > > > > > in a hidden webview to do the login? I am not quite sure how the > > > social > > > > > > login works exactly. Facebook will redirect me back to the social > > > > > callback > > > > > > address after a login, but how does keycloak actually retrieve that > > > > > access > > > > > > token? If I knew that, I could maybe create a workaround for now > > > > > > and > > > > > maybe > > > > > > also contribute something? :) > > > > > > > > > > > > 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; > > > > > > > > To: keycloak-dev(a)lists.jboss.org > > > > > > > > Sent: Tuesday, 2 December, 2014 6:58:42 PM > > > > > > > > Subject: [keycloak-dev] Login with Access Token > > > > > > > > > > > > > > > > Hello! > > > > > > > > > > > > > > > > I am new to OAuth so sorry if my question is dumb. > > > > > > > > I have an App which wants to provide a custom and Facebook > > > > > > > > login. > > > > > Since > > > > > > > many > > > > > > > > people already have the Facebook App installed, I thought it > > > might be > > > > > > > better > > > > > > > > to give them the native experience and use the Facebook SDK to > > > > > implement > > > > > > > the > > > > > > > > login. > > > > > > > > The problem now is, that I have the Access Token from the > > > successful > > > > > > > Facebook > > > > > > > > login, but don't know how to properly login at the Keycloak > > > server > > > > > with > > > > > > > > that. > > > > > > > > > > > > > > > > Any ideas on how to do that? Or is that even stupid and is > > > > > > > > there > > > a > > > > > better > > > > > > > > way? > > > > > > > > > > > > > > Not at all a dumb question and we actually had someone else ask > > > > > > > the > > > > > same > > > > > > > last week. > > > > > > > > > > > > > > Currently, Keycloak does not support this flow, but it something > > > we may > > > > > > > consider adding. > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > > > Mit freundlichen Grüßen, > > > > > > > > > > > > > > > > Christian Beikov > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > keycloak-dev mailing list > > > > > > > > keycloak-dev(a)lists.jboss.org > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > Mit freundlichen Grüßen, > > > > > > > > > > > > > > > > > > *Christian Beikov*Blazebit Design & Developing > > > > > > http://www.blazebit.com > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Mit freundlichen Grüßen, > > > > > > > > > > > > *Christian Beikov*Blazebit Design & Developing > > > > http://www.blazebit.com > > > > > > > > > > > > > > > -- > > > > Mit freundlichen Grüßen, > > > > > > *Christian Beikov*Blazebit Design & Developing > > http://www.blazebit.com > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev