Just thought of a reason why it won't work. The link to login with Facebook is to the Keycloak server, which then sets the required state before redirecting to Facebook.

----- Original Message -----

From: "Stian Thorgersen" <stian@redhat.com>
To: "Christian Beikov" <christian.beikov@gmail.com>
Cc: keycloak-dev@lists.jboss.org
Sent: Wednesday, 3 December, 2014 12:30:03 PM
Subject: Re: [keycloak-dev] Login with Access Token

The callback to Keycloak expects a code, not a token, so I don't think it
would work unless you modify Keycloak's Facebook provider. I can't think of
any other reasons why it wouldn't work.

----- Original Message -----

From: "Christian Beikov" <christian.beikov@gmail.com>
To: "Stian Thorgersen" <stian@redhat.com>
Cc: keycloak-dev@lists.jboss.org
Sent: Wednesday, 3 December, 2014 11:04:05 AM
Subject: Re: [keycloak-dev] Login with Access Token

I was thinking of something like the following as a workaround

1. Create a hidden iframe in a webview that navigates to the login page of
the keycloak server.
2. Extract the state from the link of the Facebook login
3. Start the login with the native SDK
4. On success navigate in the iframe to the social callback
5. Use some keycloak token to act as the logged in user

Regarding 4. I am not sure what URL I should invoke exactly. I guess I have
to append the state parameter to it, but I couldn't find out exactly and I
haven't debugged that far yet.
Regarding 5. I don't know how to retrieve that keycloak token from the
iframe, but I hope there is a way.

For this to work I will probably have to add some CORS http headers that
will allow localhost so that the app can access the iframe. Although this
makes it vulnerable, since every localhost app could then "steal" the
keycloak token, it would do the job for now.

What do you think? Could that work?

2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian@redhat.com>:

Keycloak generates a special state parameter. It consists of two parts, a
signature and an id. The id is used to lookup a session in Keycloak,
while
the signature is then used to verify that specific request is valid (a
session can only be used for one thing at a time, for example a social
login). By design there's no way you can generate this yourself unless
you
have access to the Keycloak database.

----- Original Message -----

From: "Christian Beikov" <christian.beikov@gmail.com>
To: "Stian Thorgersen" <stian@redhat.com>, keycloak-dev@lists.jboss.org
Sent: Wednesday, 3 December, 2014 9:33:20 AM
Subject: Re: [keycloak-dev] Login with Access Token

I am wondering how you do that. I know that there is a state parameter

that

is added to the facebook login url, but I could just make an initial
request to keycloak to copy that, or did I understand something wrong?

2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian@redhat.com>:

It's code that is currently changing as we're working on adding

enterprise

IdP's as well as social IdP's we have at the moment.

I think the correct approach would be to use the direct grant api,

which

currently lets you exchange a username + password for a Keycloak

token, we

could add an option here to pass in a token from an external IdP to
exchange for a internal Keycloak token. If you're interested in

looking at

the code look at OpenIDConnectService.grantAccessToken.

There's no work-around that you can do due to security restrictions
in
Keycloak. Keycloak makes sure that the callback can only be called if

it

indeed made the original request.

----- Original Message -----

From: "Christian Beikov" <christian.beikov@gmail.com>
To: "Stian Thorgersen" <stian@redhat.com>
Sent: Wednesday, 3 December, 2014 9:11:55 AM
Subject: Re: [keycloak-dev] Login with Access Token

Thanks for the quick answer. Could you maybe give me a hint on how
I

could

implement that in a quick-and-dirty way? Could I maybe do some
iframe

magic

in a hidden webview to do the login? I am not quite sure how the

social

login works exactly. Facebook will redirect me back to the social

callback

address after a login, but how does keycloak actually retrieve that

access

token? If I knew that, I could maybe create a workaround for now
and

maybe

also contribute something? :)

2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian@redhat.com>:

----- Original Message -----

From: "Christian Beikov" <christian.beikov@gmail.com>
To: keycloak-dev@lists.jboss.org
Sent: Tuesday, 2 December, 2014 6:58:42 PM
Subject: [keycloak-dev] Login with Access Token

Hello!

I am new to OAuth so sorry if my question is dumb.
I have an App which wants to provide a custom and Facebook
login.

Since

many

people already have the Facebook App installed, I thought it

might be

better

to give them the native experience and use the Facebook SDK to

implement

the

login.
The problem now is, that I have the Access Token from the

successful

Facebook

login, but don't know how to properly login at the Keycloak

server

with

that.

Any ideas on how to do that? Or is that even stupid and is
there

a

better

way?

Not at all a dumb question and we actually had someone else ask
the

same

last week.

Currently, Keycloak does not support this flow, but it something

we may

consider adding.

--

Mit freundlichen Grüßen,

Christian Beikov

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

Mit freundlichen Grüßen,


*Christian Beikov*Blazebit Design & Developing
http://www.blazebit.com

--

Mit freundlichen Grüßen,


*Christian Beikov*Blazebit Design & Developing
http://www.blazebit.com

--

Mit freundlichen Grüßen,


*Christian Beikov*Blazebit Design & Developing
http://www.blazebit.com

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev