10:22 a.m.
Let's see if I can manage to explain this properly.
The flow is:
1. Application redirects to '../auth/request/login'
1.1. If user is not logged in to realm display login form
1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already have grants
display oauth grant page
2. If successful redirect to application with authorization code
3. Application retrieves access token from '../access/codes'
With the current flow there is no way for an application to check if a user is already
logged-in to the realm (+ grants given). So the only options would be to either:
* Redirect to '../auth/request/login' when application is first loaded - which
would display login form or oauth grant form if required
* Require user to click on a login link to login first
If you simply add an option to '../auth/request/login' it will allow the
application to obtain an authorization code without requiring any input from the user.
This is only possible if the user is logged in to the realm and the user has already
granted the application permissions (or it's a KEYCLOAK_APPLICATION). The application
still needs to do step 3 just as it would at the moment.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 22 October, 2013 4:01:39 PM
Subject: Re: [keycloak-dev] Automatically login user to application when logged into
realm
So how are you obtaining/managing user credentials? Through the
application's pages? Or through Keycloak auth-server pages?
In my opinion applications should always use the login forms on Keycloak, and it would be
seen as bad practice of making the user provide username/password directly to the
application.
You need an access token. Otherwise you can't access any remote REST
services.
Yes of course, this is just a mechanism to obtain an authorization code without user input
(if possible)
On 10/22/2013 10:21 AM, Stian Thorgersen wrote:
> To retrieve an access code an application is required to redirect the user
> to the login page. If the user is already logged-in to the realm the user
> is just redirected back to the application. If the user is not already
> logged-in the login form is displayed.
>
> This means that if an application tries to automatically login users when
> they open the application it will require the user to fill in the login
> form if the user is not logged in.
>
> What's needed is a way for the application to find out if the user is
> already logged in to the realm. If it is the user can be automatically
> logged-in. This is what I achieved by adding the 'noforms' query parameter
> to the 'auth/request/login'.
>
> This mechanism would be especially convenient for HTML5 applications as it
> would allow users to be "re-loggedin" without having to store
> authorization tokens (or even worse refresh tokens) on the client side. On
> a page refresh you'd simply just call the "can I get an access code
> without user input" endpoint to retrieve one.
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 22 October, 2013 3:05:25 PM
>> Subject: Re: [keycloak-dev] Automatically login user to application when
>> logged into realm
>>
>> I don't know what you mean. Single sign on is the first thing that was
>> implemented for Keycloak and should work. What you describe should
>> *already* exist in the codebase.
>>
>> On 10/22/2013 9:11 AM, Stian Thorgersen wrote:
>>> Currently there's no mechanism for an application to automatically
login
>>> a
>>> user that is already logged in to the realm.
>>>
>>> I've added a proposal to
>>> https://github.com/stianst/keycloak/tree/auto-sso.
>>> It's a simple approach where all it does is to add an optional
'noforms'
>>> query parameter to 'auth/request/login'. If noforms is specified a
code
>>> is
>>> returned only if the user is already logged in to the realm + grants are
>>> already given (as grants are not saved currently that will never be the
>>> case). Otherwise it will return error=access_denied.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com