11:46 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 22 October, 2013 5:16:42 PM
Subject: Re: [keycloak-dev] Automatically login user to application when logged into
realm
Ok, makes sense.
I think this should be configurable and supported by all adaptors
Since this keycloak.js approach requires public client/application
credentials we're going to have to review the attack vectors and code in
fixes or recommendations as appropriate.
keycloak.js could support both approaches. However, it would require access to:
* Username
* User profile
* Roles
* ...
With a pure HttpOnly cookie nothing is available unless users themselves provide endpoints
to retrieve this.
I also still think the current server-side approach is far superior for
browser apps and should be the recommended approach. As it is, you
can't get around having server-side adapters, as they must at least be
set up to handle bearer token authentication for secure REST invocations.
I agree cookie with HttpOnly is the best approach. However, I think there's situations
where public credentials is the only option, for example:
* Client-side web apps that consumes REST endpoints from multiple servers
* Native mobile
* Desktop
* Devices (printers, game consoles, etc.)
As MBaaS needs to support both client-side web apps and native mobile apps the same
approach could be used for both. If native mobile apps requires public credentials, that
has to be done securely.
On 10/22/2013 11:47 AM, Stian Thorgersen wrote:
> Right,
>
> Imagine this scenario:
>
> An application (this can be a JSF or JS, or whatever) has a menu-bar that
> has options that should only be shown to certain users, it also displays
> the username of the logged-in user. A user that is not logged in to the
> SSO realm visits the application. The user then clicks on Login and is
> redirected to the login form on the Keycloak server. The user logs in and
> is redirected back to the application and can now see additional entries
> in the menu.
>
> Later another user that is already logged in to the SSO realm visits the
> same application. The application can't automatically log this user in, as
> that would require automatically redirecting the user to the login form on
> the Keycloak server. This would be fine for this user as the user is
> already logged-in. However, that would break the previous case where a
> user visited the application without being logged in to the SSO realm.
>
> Now, if there was an option to retrieve an access code (the proposal I've
> commited) without showing the login form you could solve both cases. The
> application can automatically log the user in to the application if
> already logged in to the SSO realm, and wouldn't end up showing the login
> form if the user was not logged in (instead the user would be redirected
> back to the application without being logged in, and able to click on
> Login when he/she chooses to).
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 22 October, 2013 4:35:51 PM
>> Subject: Re: [keycloak-dev] Automatically login user to application when
>> logged into realm
>>
>>
>> On 10/22/2013 11:22 AM, Stian Thorgersen wrote:
>>> Let's see if I can manage to explain this properly.
>>>
>>> The flow is:
>>>
>>> 1. Application redirects to '../auth/request/login'
>>> 1.1. If user is not logged in to realm display login form
>>> 1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already
>>> have
>>> grants display oauth grant page
>>> 2. If successful redirect to application with authorization code
>>> 3. Application retrieves access token from '../access/codes'
>>>
>>> With the current flow there is no way for an application to check if a
>>> user
>>> is already logged-in to the realm (+ grants given). So the only options
>>> would be to either:
>>>
>>
>> I don't get why the application needs to check if the user is already
>> logged in. Just start the oauth flow by redirecting to the auth-server.
>> If the user is already logged in, then, keycloak *already* will create
>> an access code and redirect back to the redirect URL immediately.
>
>
>
>>
>> I do not think you approach is correct at the moment.. IMO, what you
>> have to do is create a Javascript Application Adapter that can run in
>> the browser. It would work exactly like the JBoss Application adapter
>> except it would run within the browser.
>>
>> ALl in all, IMO, you're still better off doing this flow on the server
>> side like the examples do. It is more secure as it doesn't require
>> public client/application credentials.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com