Re: [keycloak-dev] Automatically login user to application when logged into realm
To retrieve an access code an application is required to redirect the user to the login
page. If the user is already logged-in to the realm the user is just redirected back to
the application. If the user is not already logged-in the login form is displayed.
This means that if an application tries to automatically login users when they open the
application it will require the user to fill in the login form if the user is not logged
in.
What's needed is a way for the application to find out if the user is already logged
in to the realm. If it is the user can be automatically logged-in. This is what I achieved
by adding the 'noforms' query parameter to the 'auth/request/login'.
This mechanism would be especially convenient for HTML5 applications as it would allow
users to be "re-loggedin" without having to store authorization tokens (or even
worse refresh tokens) on the client side. On a page refresh you'd simply just call the
"can I get an access code without user input" endpoint to retrieve one.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 22 October, 2013 3:05:25 PM
Subject: Re: [keycloak-dev] Automatically login user to application when logged into
realm
I don't know what you mean. Single sign on is the first thing that was
implemented for Keycloak and should work. What you describe should
*already* exist in the codebase.
On 10/22/2013 9:11 AM, Stian Thorgersen wrote:
> Currently there's no mechanism for an application to automatically login a
> user that is already logged in to the realm.
>
> I've added a proposal to https://github.com/stianst/keycloak/tree/auto-sso.
> It's a simple approach where all it does is to add an optional
'noforms'
> query parameter to 'auth/request/login'. If noforms is specified a code is
> returned only if the user is already logged in to the realm + grants are
> already given (as grants are not saved currently that will never be the
> case). Otherwise it will return error=access_denied.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev