I have been able to sign into KeyCloak without writing a broker service and
using the external/internal key exchange, Google's OpenID endpoints, and
the Google Android SDK.
Basically just follow the docs here :
to setup the server.
There are a couple caveats I discovered to making it work with Google.
First you have to create a generic OpenID Connect IdP configuration in
Keycloak instead of using the Google one. With the exception of Google's
Client ID and secret you can prefill all of the values using Google's well
known file (https://accounts.google.com/.well-known/openid-configuration
Secondly I disabled the userInfo endpoint because Google needs a Auth token
that is not the ID Token they send you which is used in the KeyCloak key
You can checkout my quick and dirty Android code here :
(Warning, there may be code gore).
I haven't tested it with non Google IdPs, but I would imagine most OpenID
Connect services will work as well. This isn't quite your use case, but I
hope it gets you closer.
On Fri, Dec 1, 2017 at 2:38 PM, Summers Pittman <supittma(a)redhat.com> wrote:
On Fri, Dec 1, 2017 at 7:19 AM, Wojciech Trocki <wtrocki(a)redhat.com>
> will help mobile developers (cordova, react native) to integrate with
> The main idea will be to mimic other solutions that allow to login to the
> auth server using single method (instead of redirecting to the login page)
> For example:
> *authbase.auth().signInWithEmailAndPassword(email, password).then(...);*
> IOS, but mounting login page in webview and styling login page, may be
> barrier for the developers starting with keycloak.
> 1) Is possible to use keycloak without redirect to keycloak login page?
> 2) Do you have any suggestions for areas were mobile experience can be
around in my head what it would take to make a broker that you can log in
to. A broker would basically act as a ghetto IdP and sock puppet account
mgmt in KeyCloak. That is a lot more work than just opening a web browser.
See my post here for a better version of that idea :
Alternatively many systems have native token management that you might be
able to hook into as well. It doesn't negate the need to go to the system
browser, but if you are using the same account in multiple apps it could
give you a way to share a session without having each app log in separately.
However, the system browsers are starting to get smarter about their role
in modern authentication so you might be able to leverage them as well.
IIRC Chrome on Android treats the Google account special and I am sure you
can find something similar with safari on iOS.
> This topic was raised before on both dev and users lists before, but
> without definitive answer
> I'm looking for any information that may be helpful.
>  http://lists.jboss.org/pipermail/keycloak-user/2016-Nove
> WOJCIECH TROCKI
> Red Hat Mobile <https://www.redhat.com/>
> IM: wtrocki