Hi Stian, that's cool if it's planned for the further releases.
The major concern here is about a vulnerability which can be exploit on
Android < 4.2 — most of Android devices
(
).
We can go with Webview and improve later.
Thanks a lot.
On 2014-10-01, Stian Thorgersen wrote:
I agree that a non-webview approach may have benefits. However,
there's a lot of functionality that would have to be reproduced for all platforms.
Alternatively, we could support a limited set of functionality without a webview, and if
anything else is required use a webview, or even pop up the browser.
On Android, Google uses a webview if you have Google Authenticator enabled.
For a complete experience the following is currently required:
* Login (username/password)
- Social logins (configurable through realm)
- Recover password link
- Registration link
- Remember me option
* Multi-factor authenticating (soon we'll support pluggable auth mechanisms)
* Registration page (fields will be configurable in the future)
* Required actions (update profile, reset password, verify email, configure totp)
Then there's also single-sign on/out to consider.
All of the above can be done in a native way already by just doing the same HTTP posts as
the login forms does. However, even a basic login would be tricky to do due to
multi-factor authentication.
----- Original Message -----
> From: "Bruno Oliveira" <bruno(a)abstractj.org>
> To: "Summers Pittman" <supittma(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, 1 October, 2014 1:06:13 AM
> Subject: Re: [keycloak-dev] Ok to have no direct links to...
>
> Back from vacations, I think would be nice if it doesn't exist already
> endpoints like Corinne mentioned.
>
> Webviews from the security side of the things are a bad idea for mobile apps.
> I wouldn't like
> to use that if possible.
>
> On 2014-09-30, Summers Pittman wrote:
> > On 9/30/2014 9:31 AM, Bill Burke wrote:
> > >
> > > On 9/30/2014 9:28 AM, Corinne Krych wrote:
> > >> On 26 Sep 2014, at 17:27, Bill Burke <bburke(a)redhat.com> wrote:
> > >>
> > >>> I need some input.
> > >>>
> > >>> It is ok for, registration page and social link buttons to only
be
> > >>> linkable from within a Keycloak login page?
> > >>>
> > >> When you say keyclaok login page, does it have to ba web-based page?
> > >>
> > >> What about mobile native app?
> > >> It would be nice to have the option for an iOS mobile app to add
> > >> “MykeycloakServername login” customizable button from the native app
> > >> sdk.
> > >> Like google+plus btutton for example:
> > >>
https://developers.google.com/+/mobile/ios/sign-in
> > >>
> > > Somebody on the Aerogear project implemented something like this for
> > > Android. They may be doing the same for iOS too.
> > I have no plans on doing things for iOS. The Android Authenticator just
> > displays a webview of the login page and detects when then "code"
> > parameter is in the response URI.
> > >
> > > Bill
> > >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev