Re: [keycloak-dev] Automatically login user to application when logged into realm

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, 24 October, 2013 2:52:59 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm Yeah, I saw amazon example. I think your amazon example is different because they don't have to worry about single sign on.

The current keycloak application adapter build on top of servlet security and only requires a valve and the keycloak configuration file and it just works. The style you are talking about would have to bypass servlet security entirely and require custom application code to work. This is why I don't think it should be promoted as a preferred solution.

The preferred solution should be a server-side driven authentication with private client credentials for both javascript and old-school apps. For Servlet environments, the constraints of servlet security should be used to keep setup simple. On 10/24/2013 9:00 AM, Stian Thorgersen wrote: > Yes it goes through accounts.google.com. Google often have different > regional behaviour though. > > Did you see the amazon example I wrote before? Did the same mistake of > replying twice again :/ > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Thursday, 24 October, 2013 1:56:29 PM >> Subject: Re: [keycloak-dev] Automatically login user to application when >> logged into realm >> >> Weird. Firefox 24 and IE 10 on Windows for me works the way I >> described. What do the logged HTTP requests look like? Does it go >> through accounts.google.com? >> >> On 10/24/2013 8:37 AM, Stian Thorgersen wrote: >>> By the way that's not how gmail.com works for me. I just tried to open >>> gmail.com in an incognito window and was redirected to >>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login >>> form. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: keycloak-dev(a)lists.jboss.org >>>> Sent: Thursday, 24 October, 2013 1:13:40 PM >>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>> logged into realm >>>> >>>> Not to drag this on, but take a look at how google does it. >>>> >>>> If you are not logged in, and you go to gmail.com, you are redirected >>>> immediately to accounts.google.com and you must log in there. After you >>>> login you are redirected back to gmail.com. >>>> >>>> If you leave gmail.com and visit another website, then come back to >>>> gmail.com, it does an immediate redirect to accounts.google.com which >>>> then immediately redirects you back to gmail. >>>> >>>> So, I feel better. I'm not so old school... :). Google works pretty >>>> much the same way the keycloak demo works. There is one difference >>>> though that I i'm not sure if we should follow: I'm guessing that to >>>> implement single sign off, Google will always redirect to >>>> accounts.google.com to check to see if you're logged in when you visit a >>>> google page. >>>> >>>> >>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote: >>>>> No worries, it's one of those things that happens with trying to >>>>> explain >>>>> something over email/IRC. >>>>> >>>>> I think it should be an optional feature support by all adapters. For >>>>> the >>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' >>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request >>>>> is >>>>> to an unsecured resource it would redirect to 'auth/login?prompt=none'. >>>>> I'm happy to add a proposal to the AS7 adapter if you'd like. >>>>> >>>> >>>> I don't think this approach can work very well in old-school web apps, >>>> if at all. For pure Servlet apps you're either accessing a secure area >>>> or you're not. A URL can't be both secure and unsecure at the same >>>> time. Plus, if you have any kind of latency, a full browser redirect >>>> just to check if you're logged in with the auth-server is going to be >>>> pretty ugly. >>>> >>>> The application adapter *DOES* still need an amILoggedIn REST call. By >>>> default it should just return: >>>> >>>> { >>>> "loggedIn" : true, >>>> "user" : "wburke" >>>> } >>>> >>>> If you set a flag in resteasy-oauth.json, it will also contain the >>>> access token >>>> >>>> { >>>> loggedIn : true, >>>> "user" : "wburke", >>>> "token" : "asdfasdfasdfqwerqwer" >>>> } >>>> >>>> amILoggedIn would be authenticated by a http-only cookie. >>>> >>>> >>>>> ----- Original Message ----- >>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM >>>>>> Subject: Re: [keycloak-dev] Automatically login user to application >>>>>> when >>>>>> logged into realm >>>>>> >>>>>> I guess I see what you mean. You want to be able to show a >>>>>> login/register links on the *application's* page and not just redirect >>>>>> immediately to the keycloak screens when you first visit the page. I >>>>>> guess I'm thinking too old school Java EE app that would automatically >>>>>> bring you to the login screen if you access secured content. I feel >>>>>> like a dinosaur sometimes. Too bad I still have 20 year until I >>>>>> retire. >>>>>> >>>>>> Apologies for wasting your time. >>>>>> >>>>>> Gonna have to figure out how to support this scenario for a >>>>>> traditional >>>>>> web app too. >>>>>> >>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>>>>>> Yes I read your response and yes I have played with your demo. >>>>>>> >>>>>>> Let's then revisit this with the demo in mind, and you can tell me >>>>>>> where >>>>>>> I'm mistaken. >>>>>>> >>>>>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >>>>>>> require the admin role and '/customers/*' requires the user role. If >>>>>>> I >>>>>>> click on a link taking me to any of these pages the adapter redirects >>>>>>> me >>>>>>> to the auth-server. In this case it works, as if I try to visit a >>>>>>> private >>>>>>> url I should be presented with a login form if I'm not already logged >>>>>>> in. >>>>>>> So there's no problem that the adapter automatically redirects me to >>>>>>> the >>>>>>> auth-server. >>>>>>> >>>>>>> Now, imagine that this is an real application. Where the front-page >>>>>>> would, >>>>>>> if the user is not logged in, show "Login" and "Register" links, and >>>>>>> would >>>>>>> not show links to pages that an anonymous user is not allowed to >>>>>>> access >>>>>>> (for example 'Customer Listing'). If a user is logged in the >>>>>>> application >>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User, >>>>>>> welcome back' and would include links to pages that particular user >>>>>>> is >>>>>>> allowed to access (for example if the current user had the role user, >>>>>>> but >>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin >>>>>>> Interface' >>>>>>> link, would be displayed). >>>>>>> >>>>>>> How would I be able to implement that behaviour with the current way >>>>>>> Keycloak works? >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application >>>>>>>> when >>>>>>>> logged into realm >>>>>>>> >>>>>>>> Did you even read my response? I completely mapped out the entire >>>>>>>> flow >>>>>>>> of how it works *now* in our demo and how it could work with a pure >>>>>>>> HTML5 app. Go play with the demo to understand things better maybe? >>>>>>>> >>>>>>>> You talkd about this before: >>>>>>>> > A company has an internal Keycloak server, they have a single >>>>>>>> > realm >>>>>>>> with multiple internal applications. All applications are hosted on >>>>>>>> different servers. Let's imagine this company is called Red Hat. The >>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book some >>>>>>>> long overdue holiday. He's not currently logged in to the realm so >>>>>>>> is >>>>>>>> is >>>>>>>> shown an anonymous access screen instead with a login link. Stian >>>>>>>> presses login, fills in username and password and successfully logs >>>>>>>> in >>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has to >>>>>>>> press the Login link, but doesn't have to provide a username or >>>>>>>> password, but instead is simply redirected back to the application >>>>>>>> as >>>>>>>> a >>>>>>>> logged in user. Stian is actually a bit confused about this as he >>>>>>>> just >>>>>>>> logged in to an application without providing a username or >>>>>>>> password. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> What you describe is not how our demo works nor will it ever work >>>>>>>> that >>>>>>>> way. You log in once to the auth server, any app you visit knows >>>>>>>> who >>>>>>>> you are. There's no need to click a "login" button when you visit a >>>>>>>> new >>>>>>>> site. HTML5 app would work exactly the same way as any of the WARs >>>>>>>> in >>>>>>>> the Keycloak demo code except all the redirect and cookie processing >>>>>>>> would happen within Javascript within the browser. There's just no >>>>>>>> need >>>>>>>> for your extra "no-forms" invocation! The login check is already >>>>>>>> built >>>>>>>> into the protocol. >>>>>>>> >>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>>>>>> >>>>>>>> -- >>>>>>>> Bill Burke >>>>>>>> JBoss, a division of Red Hat >>>>>>>> http://bill.burkecentral.com >>>>>>>> >>>>>> >>>>>> -- >>>>>> Bill Burke >>>>>> JBoss, a division of Red Hat >>>>>> http://bill.burkecentral.com >>>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com