8:45 p.m.
Thoughts on some possible ways to handle mobile aspects with Keycloak.
Its just a very brief outline of some of the options to get a
conversation started. I tried to brief as possible, but the email is
still a bit long :/
Mobile web app
Works similar to how any normal web app would work with keycloak. Only
changes really needed would be to make sure the login pages and such are
designed to work properly on varying sizes of touchscreens.
Native Mobile App Approaches
1)Native mobile app accessing keycloak through a custom webview.
Its possible for a native application to create a webview and load the
web components of keycloak through this. Requires some changes to
keycloak to return the token to the application since using a normal
redirect url isn't feasible.
For social login there are a lot of problems with this approach. Its a
custom webview, so the user will always have to enter their credentials
(which defeats the point of social login as being easy). Its also a huge
trust issues since a custom webview can easily steal credentials or
spoof the content. Facebook will be blocking logins using webviews this
fall due to the security concerns and will require using their sdk
instead, other social networks may soon follow.
2)Native mobile app accessing a native keycloak service.
A native keycloak service could be created to be run on the mobile
device which would handle account registration and login. The idea here
is that the native keycloak component would be in contact with the
keycloak server and would be managed there. This component would also
register itself as an account authenticator so that other apps can use
keycloak for authentication (in the same manner as apps do now for other
social logins).
It would use the native social sdk or system account management system
to perform social login. Once a social token is retrieve in the native
keycloak component it would be sent to the keycloak server for
verification and return a keycloak token.
Note: just to be clear, the keycloak mobile component would not be
keycloak re-written on a mobile device. Most of what happens will still
be done on the server side and it would be managed from the server's
admin console.
Thoughts on the native app approaches:
1 is a non-optimal user experience with some trust/security issues, and
already is going to be blocked by some social providers. But it requires
the least amount of native code and most things still remain on the
server side.
2 requires a lot more native code to be written and requires a lot more
changes to keycloak on the server side. But it provides a much nicer
user experience and would act the same way as current authentication
providers do to applications. There is also less issues with social
providers blocking access since we would be using the approved and
recommended methods.
Any thoughts on this? I am still catching up on keycloak so some of my
assumptions may be a bit off in a few areas.
- Matt Wringe