Re: [keycloak-dev] Login with Access Token

Just thought of a reason why it won't work. The link to login with Facebook is to the Keycloak server, which then sets the required state before redirecting to Facebook. ----- Original Message ----- > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > To: "Christian Beikov" <christian.beikov(a)gmail.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Wednesday, 3 December, 2014 12:30:03 PM > Subject: Re: [keycloak-dev] Login with Access Token > > The callback to Keycloak expects a code, not a token, so I don't think it > would work unless you modify Keycloak's Facebook provider. I can't think of > any other reasons why it wouldn't work. > > ----- Original Message ----- >> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Wednesday, 3 December, 2014 11:04:05 AM >> Subject: Re: [keycloak-dev] Login with Access Token >> >> I was thinking of something like the following as a workaround >> >> 1. Create a hidden iframe in a webview that navigates to the login page of >> the keycloak server. >> 2. Extract the state from the link of the Facebook login >> 3. Start the login with the native SDK >> 4. On success navigate in the iframe to the social callback >> 5. Use some keycloak token to act as the logged in user >> >> Regarding 4. I am not sure what URL I should invoke exactly. I guess I have >> to append the state parameter to it, but I couldn't find out exactly and I >> haven't debugged that far yet. >> Regarding 5. I don't know how to retrieve that keycloak token from the >> iframe, but I hope there is a way. >> >> For this to work I will probably have to add some CORS http headers that >> will allow localhost so that the app can access the iframe. Although this >> makes it vulnerable, since every localhost app could then "steal" the >> keycloak token, it would do the job for now. >> >> What do you think? Could that work? >> >> 2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: >> >>> Keycloak generates a special state parameter. It consists of two parts, a >>> signature and an id. The id is used to lookup a session in Keycloak, >>> while >>> the signature is then used to verify that specific request is valid (a >>> session can only be used for one thing at a time, for example a social >>> login). By design there's no way you can generate this yourself unless >>> you >>> have access to the Keycloak database. >>> >>> ----- Original Message ----- >>>> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt;, keycloak-dev(a)lists.jboss.org >>>> Sent: Wednesday, 3 December, 2014 9:33:20 AM >>>> Subject: Re: [keycloak-dev] Login with Access Token >>>> >>>> I am wondering how you do that. I know that there is a state parameter >>> that >>>> is added to the facebook login url, but I could just make an initial >>>> request to keycloak to copy that, or did I understand something wrong? >>>> >>>> 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: >>>> >>>>> It's code that is currently changing as we're working on adding >>> enterprise >>>>> IdP's as well as social IdP's we have at the moment. >>>>> >>>>> I think the correct approach would be to use the direct grant api, >>> which >>>>> currently lets you exchange a username + password for a Keycloak >>> token, we >>>>> could add an option here to pass in a token from an external IdP to >>>>> exchange for a internal Keycloak token. If you're interested in >>> looking at >>>>> the code look at OpenIDConnectService.grantAccessToken. >>>>> >>>>> There's no work-around that you can do due to security restrictions >>>>> in >>>>> Keycloak. Keycloak makes sure that the callback can only be called if >>> it >>>>> indeed made the original request. >>>>> >>>>> ----- Original Message ----- >>>>>> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>> Sent: Wednesday, 3 December, 2014 9:11:55 AM >>>>>> Subject: Re: [keycloak-dev] Login with Access Token >>>>>> >>>>>> Thanks for the quick answer. Could you maybe give me a hint on how >>>>>> I >>>>> could >>>>>> implement that in a quick-and-dirty way? Could I maybe do some >>>>>> iframe >>>>> magic >>>>>> in a hidden webview to do the login? I am not quite sure how the >>> social >>>>>> login works exactly. Facebook will redirect me back to the social >>>>> callback >>>>>> address after a login, but how does keycloak actually retrieve that >>>>> access >>>>>> token? If I knew that, I could maybe create a workaround for now >>>>>> and >>>>> maybe >>>>>> also contribute something? :) >>>>>> >>>>>> 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian(a)redhat.com&gt;: >>>>>> >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Christian Beikov" <christian.beikov(a)gmail.com&gt; >>>>>>>> To: keycloak-dev(a)lists.jboss.org >>>>>>>> Sent: Tuesday, 2 December, 2014 6:58:42 PM >>>>>>>> Subject: [keycloak-dev] Login with Access Token >>>>>>>> >>>>>>>> Hello! >>>>>>>> >>>>>>>> I am new to OAuth so sorry if my question is dumb. >>>>>>>> I have an App which wants to provide a custom and Facebook >>>>>>>> login. >>>>> Since >>>>>>> many >>>>>>>> people already have the Facebook App installed, I thought it >>> might be >>>>>>> better >>>>>>>> to give them the native experience and use the Facebook SDK to >>>>> implement >>>>>>> the >>>>>>>> login. >>>>>>>> The problem now is, that I have the Access Token from the >>> successful >>>>>>> Facebook >>>>>>>> login, but don't know how to properly login at the Keycloak >>> server >>>>> with >>>>>>>> that. >>>>>>>> >>>>>>>> Any ideas on how to do that? Or is that even stupid and is >>>>>>>> there >>> a >>>>> better >>>>>>>> way? >>>>>>> Not at all a dumb question and we actually had someone else ask >>>>>>> the >>>>> same >>>>>>> last week. >>>>>>> >>>>>>> Currently, Keycloak does not support this flow, but it something >>> we may >>>>>>> consider adding. >>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> Mit freundlichen Grüßen, >>>>>>>> >>>>>>>> Christian Beikov >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-dev mailing list >>>>>>>> keycloak-dev(a)lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Mit freundlichen Grüßen, >>>>>> >>>>>> >>>>>> *Christian Beikov*Blazebit Design & Developing >>>>>> http://www.blazebit.com >>>>>> >>>> >>>> >>>> -- >>>> >>>> Mit freundlichen Grüßen, >>>> >>>> >>>> *Christian Beikov*Blazebit Design & Developing >>>> http://www.blazebit.com >>>> >> >> >> -- >> >> Mit freundlichen Grüßen, >> >> >> *Christian Beikov*Blazebit Design & Developing >> http://www.blazebit.com >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev