I was thinking of something like the following as a workaround

1. Create a hidden iframe in a webview that navigates to the login page of the keycloak server.

2. Extract the state from the link of the Facebook login

3. Start the login with the native SDK

4. On success navigate in the iframe to the social callback

5. Use some keycloak token to act as the logged in user

Regarding 4. I am not sure what URL I should invoke exactly. I guess I have to append the state parameter to it, but I couldn't find out exactly and I haven't debugged that far yet.

Regarding 5. I don't know how to retrieve that keycloak token from the iframe, but I hope there is a way.

For this to work I will probably have to add some CORS http headers that will allow localhost so that the app can access the iframe. Although this makes it vulnerable, since every localhost app could then "steal" the keycloak token, it would do the job for now.

What do you think? Could that work?

2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian@redhat.com>:

Keycloak generates a special state parameter. It consists of two parts, a signature and an id. The id is used to lookup a session in Keycloak, while the signature is then used to verify that specific request is valid (a session can only be used for one thing at a time, for example a social login). By design there's no way you can generate this yourself unless you have access to the Keycloak database.

----- Original Message -----
> From: "Christian Beikov" <christian.beikov@gmail.com>

> To: "Stian Thorgersen" <stian@redhat.com>, keycloak-dev@lists.jboss.org
> Sent: Wednesday, 3 December, 2014 9:33:20 AM
> Subject: Re: [keycloak-dev] Login with Access Token
>
> I am wondering how you do that. I know that there is a state parameter that
> is added to the facebook login url, but I could just make an initial
> request to keycloak to copy that, or did I understand something wrong?
>
> 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian@redhat.com>:
>
> > It's code that is currently changing as we're working on adding enterprise
> > IdP's as well as social IdP's we have at the moment.
> >
> > I think the correct approach would be to use the direct grant api, which
> > currently lets you exchange a username + password for a Keycloak token, we
> > could add an option here to pass in a token from an external IdP to
> > exchange for a internal Keycloak token. If you're interested in looking at
> > the code look at OpenIDConnectService.grantAccessToken.
> >
> > There's no work-around that you can do due to security restrictions in
> > Keycloak. Keycloak makes sure that the callback can only be called if it
> > indeed made the original request.
> >
> > ----- Original Message -----
> > > From: "Christian Beikov" <christian.beikov@gmail.com>
> > > To: "Stian Thorgersen" <stian@redhat.com>
> > > Sent: Wednesday, 3 December, 2014 9:11:55 AM
> > > Subject: Re: [keycloak-dev] Login with Access Token
> > >
> > > Thanks for the quick answer. Could you maybe give me a hint on how I
> > could
> > > implement that in a quick-and-dirty way? Could I maybe do some iframe
> > magic
> > > in a hidden webview to do the login? I am not quite sure how the social
> > > login works exactly. Facebook will redirect me back to the social
> > callback
> > > address after a login, but how does keycloak actually retrieve that
> > access
> > > token? If I knew that, I could maybe create a workaround for now and
> > maybe
> > > also contribute something? :)
> > >
> > > 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian@redhat.com>:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Christian Beikov" <christian.beikov@gmail.com>
> > > > > To: keycloak-dev@lists.jboss.org
> > > > > Sent: Tuesday, 2 December, 2014 6:58:42 PM
> > > > > Subject: [keycloak-dev] Login with Access Token
> > > > >
> > > > > Hello!
> > > > >
> > > > > I am new to OAuth so sorry if my question is dumb.
> > > > > I have an App which wants to provide a custom and Facebook login.
> > Since
> > > > many
> > > > > people already have the Facebook App installed, I thought it might be
> > > > better
> > > > > to give them the native experience and use the Facebook SDK to
> > implement
> > > > the
> > > > > login.
> > > > > The problem now is, that I have the Access Token from the successful
> > > > Facebook
> > > > > login, but don't know how to properly login at the Keycloak server
> > with
> > > > > that.
> > > > >
> > > > > Any ideas on how to do that? Or is that even stupid and is there a
> > better
> > > > > way?
> > > >
> > > > Not at all a dumb question and we actually had someone else ask the
> > same
> > > > last week.
> > > >
> > > > Currently, Keycloak does not support this flow, but it something we may
> > > > consider adding.
> > > >
> > > > > --
> > > > >
> > > > > Mit freundlichen Grüßen,
> > > > >
> > > > > Christian Beikov
> > > > >
> > > > > _______________________________________________
> > > > > keycloak-dev mailing list
> > > > > keycloak-dev@lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > Mit freundlichen Grüßen,
> > >
> > >
> > > *Christian Beikov*Blazebit Design & Developing
> > > http://www.blazebit.com
> > >
> >
>
>
>
> --
>
> Mit freundlichen Grüßen,
>
>
> *Christian Beikov*Blazebit Design & Developing
> http://www.blazebit.com
>

Mit freundlichen Grüßen,

Christian Beikov
Blazebit Design & Developing
http://www.blazebit.com