----- Original Message -----
From: "Bruno Oliveira" <bruno(a)abstractj.org>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Summers Pittman" <supittma(a)redhat.com>,
keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 1 October, 2014 9:37:59 AM
Subject: Re: [keycloak-dev] Ok to have no direct links to...
Hi Stian, that's cool if it's planned for the further releases.
We haven't planned anything (have we?). With regards to SDKs for Android and iOS (and
that pesky Windows thing) we're hoping to delegate it all to you guys ;)
The major concern here is about a vulnerability which can be exploit on
Android < 4.2 — most of Android devices
(
http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavas...).
There's no JS in Keycloak login forms or account management, it's all just
plain-old html. Maybe it's possible to disable JS in the webviews which would
eliminate this exploit?
We can go with Webview and improve later.
Thanks a lot.
On 2014-10-01, Stian Thorgersen wrote:
> I agree that a non-webview approach may have benefits. However, there's a
> lot of functionality that would have to be reproduced for all platforms.
> Alternatively, we could support a limited set of functionality without a
> webview, and if anything else is required use a webview, or even pop up
> the browser.
>
> On Android, Google uses a webview if you have Google Authenticator enabled.
>
> For a complete experience the following is currently required:
>
> * Login (username/password)
> - Social logins (configurable through realm)
> - Recover password link
> - Registration link
> - Remember me option
> * Multi-factor authenticating (soon we'll support pluggable auth
> mechanisms)
> * Registration page (fields will be configurable in the future)
> * Required actions (update profile, reset password, verify email, configure
> totp)
>
> Then there's also single-sign on/out to consider.
>
> All of the above can be done in a native way already by just doing the same
> HTTP posts as the login forms does. However, even a basic login would be
> tricky to do due to multi-factor authentication.
>
> ----- Original Message -----
> > From: "Bruno Oliveira" <bruno(a)abstractj.org>
> > To: "Summers Pittman" <supittma(a)redhat.com>
> > Cc: keycloak-dev(a)lists.jboss.org
> > Sent: Wednesday, 1 October, 2014 1:06:13 AM
> > Subject: Re: [keycloak-dev] Ok to have no direct links to...
> >
> > Back from vacations, I think would be nice if it doesn't exist already
> > endpoints like Corinne mentioned.
> >
> > Webviews from the security side of the things are a bad idea for mobile
> > apps.
> > I wouldn't like
> > to use that if possible.
> >
> > On 2014-09-30, Summers Pittman wrote:
> > > On 9/30/2014 9:31 AM, Bill Burke wrote:
> > > >
> > > > On 9/30/2014 9:28 AM, Corinne Krych wrote:
> > > >> On 26 Sep 2014, at 17:27, Bill Burke <bburke(a)redhat.com>
wrote:
> > > >>
> > > >>> I need some input.
> > > >>>
> > > >>> It is ok for, registration page and social link buttons to
only be
> > > >>> linkable from within a Keycloak login page?
> > > >>>
> > > >> When you say keyclaok login page, does it have to ba web-based
page?
> > > >>
> > > >> What about mobile native app?
> > > >> It would be nice to have the option for an iOS mobile app to add
> > > >> “MykeycloakServername login” customizable button from the native
app
> > > >> sdk.
> > > >> Like google+plus btutton for example:
> > > >>
https://developers.google.com/+/mobile/ios/sign-in
> > > >>
> > > > Somebody on the Aerogear project implemented something like this for
> > > > Android. They may be doing the same for iOS too.
> > > I have no plans on doing things for iOS. The Android Authenticator just
> > > displays a webview of the login page and detects when then
"code"
> > > parameter is in the response URI.
> > > >
> > > > Bill
> > > >
> > >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev(a)lists.jboss.org
> > >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914