Re: [keycloak-dev] Ok to have no direct links to...

From: "Bruno Oliveira" <bruno(a)abstractj.org&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: "Summers Pittman" <supittma(a)redhat.com&gt;, keycloak-dev(a)lists.jboss.org Sent: Wednesday, 1 October, 2014 9:37:59 AM Subject: Re: [keycloak-dev] Ok to have no direct links to... Hi Stian, that's cool if it's planned for the further releases.

The major concern here is about a vulnerability which can be exploit on Android < 4.2 — most of Android devices (http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavas...).

We can go with Webview and improve later. Thanks a lot. On 2014-10-01, Stian Thorgersen wrote: > I agree that a non-webview approach may have benefits. However, there's a > lot of functionality that would have to be reproduced for all platforms. > Alternatively, we could support a limited set of functionality without a > webview, and if anything else is required use a webview, or even pop up > the browser. > > On Android, Google uses a webview if you have Google Authenticator enabled. > > For a complete experience the following is currently required: > > * Login (username/password) > - Social logins (configurable through realm) > - Recover password link > - Registration link > - Remember me option > * Multi-factor authenticating (soon we'll support pluggable auth > mechanisms) > * Registration page (fields will be configurable in the future) > * Required actions (update profile, reset password, verify email, configure > totp) > > Then there's also single-sign on/out to consider. > > All of the above can be done in a native way already by just doing the same > HTTP posts as the login forms does. However, even a basic login would be > tricky to do due to multi-factor authentication. > > ----- Original Message ----- > > From: "Bruno Oliveira" <bruno(a)abstractj.org&gt; > > To: "Summers Pittman" <supittma(a)redhat.com&gt; > > Cc: keycloak-dev(a)lists.jboss.org > > Sent: Wednesday, 1 October, 2014 1:06:13 AM > > Subject: Re: [keycloak-dev] Ok to have no direct links to... > > > > Back from vacations, I think would be nice if it doesn't exist already > > endpoints like Corinne mentioned. > > > > Webviews from the security side of the things are a bad idea for mobile > > apps. > > I wouldn't like > > to use that if possible. > > > > On 2014-09-30, Summers Pittman wrote: > > > On 9/30/2014 9:31 AM, Bill Burke wrote: > > > > > > > > On 9/30/2014 9:28 AM, Corinne Krych wrote: > > > >> On 26 Sep 2014, at 17:27, Bill Burke <bburke(a)redhat.com&gt; wrote: > > > >> > > > >>> I need some input. > > > >>> > > > >>> It is ok for, registration page and social link buttons to only be > > > >>> linkable from within a Keycloak login page? > > > >>> > > > >> When you say keyclaok login page, does it have to ba web-based page? > > > >> > > > >> What about mobile native app? > > > >> It would be nice to have the option for an iOS mobile app to add > > > >> “MykeycloakServername login” customizable button from the native app > > > >> sdk. > > > >> Like google+plus btutton for example: > > > >> https://developers.google.com/+/mobile/ios/sign-in > > > >> > > > > Somebody on the Aerogear project implemented something like this for > > > > Android. They may be doing the same for iOS too. > > > I have no plans on doing things for iOS. The Android Authenticator just > > > displays a webview of the login page and detects when then "code" > > > parameter is in the response URI. > > > > > > > > Bill > > > > > > > > > > _______________________________________________ > > > keycloak-dev mailing list > > > keycloak-dev(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev -- abstractj PGP: 0x84DC9914