Currently there's no mechanism for an application to automatically login a user that is already logged in to the realm. I've added a proposal to https://github.com/stianst/keycloak/tree/auto-sso. It's a simple approach where all it does is to add an optional 'noforms' query parameter to 'auth/request/login'. If noforms is specified a code is returned only if the user is already logged in to the realm + grants are already given (as grants are not saved currently that will never be the case). Otherwise it will return error=access_denied. _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

To retrieve an access code an application is required to redirect the user to the login page. If the user is already logged-in to the realm the user is just redirected back to the application. If the user is not already logged-in the login form is displayed. This means that if an application tries to automatically login users when they open the application it will require the user to fill in the login form if the user is not logged in. What's needed is a way for the application to find out if the user is already logged in to the realm. If it is the user can be automatically logged-in. This is what I achieved by adding the 'noforms' query parameter to the 'auth/request/login'. This mechanism would be especially convenient for HTML5 applications as it would allow users to be "re-loggedin" without having to store authorization tokens (or even worse refresh tokens) on the client side. On a page refresh you'd simply just call the "can I get an access code without user input" endpoint to retrieve one. ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, 22 October, 2013 3:05:25 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > I don't know what you mean. Single sign on is the first thing that was > implemented for Keycloak and should work. What you describe should > *already* exist in the codebase. > > On 10/22/2013 9:11 AM, Stian Thorgersen wrote: >> Currently there's no mechanism for an application to automatically login a >> user that is already logged in to the realm. >> >> I've added a proposal to https://github.com/stianst/keycloak/tree/auto-sso. >> It's a simple approach where all it does is to add an optional 'noforms' >> query parameter to 'auth/request/login'. If noforms is specified a code is >> returned only if the user is already logged in to the realm + grants are >> already given (as grants are not saved currently that will never be the >> case). Otherwise it will return error=access_denied. >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

Let's see if I can manage to explain this properly. The flow is: 1. Application redirects to '../auth/request/login' 1.1. If user is not logged in to realm display login form 1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already have grants display oauth grant page 2. If successful redirect to application with authorization code 3. Application retrieves access token from '../access/codes' With the current flow there is no way for an application to check if a user is already logged-in to the realm (+ grants given). So the only options would be to either:

Right, Imagine this scenario: An application (this can be a JSF or JS, or whatever) has a menu-bar that has options that should only be shown to certain users, it also displays the username of the logged-in user. A user that is not logged in to the SSO realm visits the application. The user then clicks on Login and is redirected to the login form on the Keycloak server. The user logs in and is redirected back to the application and can now see additional entries in the menu. Later another user that is already logged in to the SSO realm visits the same application. The application can't automatically log this user in, as that would require automatically redirecting the user to the login form on the Keycloak server. This would be fine for this user as the user is already logged-in. However, that would break the previous case where a user visited the application without being logged in to the SSO realm. Now, if there was an option to retrieve an access code (the proposal I've commited) without showing the login form you could solve both cases. The application can automatically log the user in to the application if already logged in to the SSO realm, and wouldn't end up showing the login form if the user was not logged in (instead the user would be redirected back to the application without being logged in, and able to click on Login when he/she chooses to). ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, 22 October, 2013 4:35:51 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > > On 10/22/2013 11:22 AM, Stian Thorgersen wrote: >> Let's see if I can manage to explain this properly. >> >> The flow is: >> >> 1. Application redirects to '../auth/request/login' >> 1.1. If user is not logged in to realm display login form >> 1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already have >> grants display oauth grant page >> 2. If successful redirect to application with authorization code >> 3. Application retrieves access token from '../access/codes' >> >> With the current flow there is no way for an application to check if a user >> is already logged-in to the realm (+ grants given). So the only options >> would be to either: >> > > I don't get why the application needs to check if the user is already > logged in. Just start the oauth flow by redirecting to the auth-server. > If the user is already logged in, then, keycloak *already* will create > an access code and redirect back to the redirect URL immediately. > > I do not think you approach is correct at the moment.. IMO, what you > have to do is create a Javascript Application Adapter that can run in > the browser. It would work exactly like the JBoss Application adapter > except it would run within the browser. > > ALl in all, IMO, you're still better off doing this flow on the server > side like the examples do. It is more secure as it doesn't require > public client/application credentials. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, 22 October, 2013 5:16:42 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > Ok, makes sense. I think this should be configurable and supported by all adaptors > > Since this keycloak.js approach requires public client/application > credentials we're going to have to review the attack vectors and code in > fixes or recommendations as appropriate. keycloak.js could support both approaches. However, it would require access to:

* Username * User profile * Roles * ... With a pure HttpOnly cookie nothing is available unless users themselves provide endpoints to retrieve this. > > I also still think the current server-side approach is far superior for > browser apps and should be the recommended approach. As it is, you > can't get around having server-side adapters, as they must at least be > set up to handle bearer token authentication for secure REST invocations. I agree cookie with HttpOnly is the best approach. However, I think there's situations where public credentials is the only option, for example:

* Client-side web apps that consumes REST endpoints from multiple servers

* Native mobile * Desktop * Devices (printers, game consoles, etc.) As MBaaS needs to support both client-side web apps and native mobile apps the same approach could be used for both. If native mobile apps requires public credentials, that has to be done securely.

> > On 10/22/2013 11:47 AM, Stian Thorgersen wrote: >> Right, >> >> Imagine this scenario: >> >> An application (this can be a JSF or JS, or whatever) has a menu-bar that >> has options that should only be shown to certain users, it also displays >> the username of the logged-in user. A user that is not logged in to the >> SSO realm visits the application. The user then clicks on Login and is >> redirected to the login form on the Keycloak server. The user logs in and >> is redirected back to the application and can now see additional entries >> in the menu. >> >> Later another user that is already logged in to the SSO realm visits the >> same application. The application can't automatically log this user in, as >> that would require automatically redirecting the user to the login form on >> the Keycloak server. This would be fine for this user as the user is >> already logged-in. However, that would break the previous case where a >> user visited the application without being logged in to the SSO realm. >> >> Now, if there was an option to retrieve an access code (the proposal I've >> commited) without showing the login form you could solve both cases. The >> application can automatically log the user in to the application if >> already logged in to the SSO realm, and wouldn't end up showing the login >> form if the user was not logged in (instead the user would be redirected >> back to the application without being logged in, and able to click on >> Login when he/she chooses to). >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Tuesday, 22 October, 2013 4:35:51 PM >>> Subject: Re: [keycloak-dev] Automatically login user to application when >>> logged into realm >>> >>> >>> On 10/22/2013 11:22 AM, Stian Thorgersen wrote: >>>> Let's see if I can manage to explain this properly. >>>> >>>> The flow is: >>>> >>>> 1. Application redirects to '../auth/request/login' >>>> 1.1. If user is not logged in to realm display login form >>>> 1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already >>>> have >>>> grants display oauth grant page >>>> 2. If successful redirect to application with authorization code >>>> 3. Application retrieves access token from '../access/codes' >>>> >>>> With the current flow there is no way for an application to check if a >>>> user >>>> is already logged-in to the realm (+ grants given). So the only options >>>> would be to either: >>>> >>> >>> I don't get why the application needs to check if the user is already >>> logged in. Just start the oauth flow by redirecting to the auth-server. >>> If the user is already logged in, then, keycloak *already* will create >>> an access code and redirect back to the redirect URL immediately. >> >> >> >>> >>> I do not think you approach is correct at the moment.. IMO, what you >>> have to do is create a Javascript Application Adapter that can run in >>> the browser. It would work exactly like the JBoss Application adapter >>> except it would run within the browser. >>> >>> ALl in all, IMO, you're still better off doing this flow on the server >>> side like the examples do. It is more secure as it doesn't require >>> public client/application credentials. >>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >

I don't see how that would work. The server-side adapter doesn't set a cookie until after the user has logged in (the cookie is also specific to the application). The only thing that knows if a user is logged in to the SSO realm is Keycloak itself. At the moment there's no way for an application (client or server side) to check this without ending up showing the login form if it isn't!

What you want to be able to do is to have users automatically logged in to applications (on different servers, with different application credentials) once a user has logged in to a single application. Either I've failed to explain the use-case properly, or there's something about what you're proposing I'm not understanding. Just to make sure I'm explaining the use-case properly, I'll try again: A company has an internal Keycloak server, they have a single realm with multiple internal applications. All applications are hosted on different servers. Let's imagine this company is called Red Hat. The user, let's call him Stian, first goes to the OrangeHRM to book some long overdue holiday. He's not currently logged in to the realm so is is shown an anonymous access screen instead with a login link. Stian presses login, fills in username and password and successfully logs in to the realm. Now Stian wants to go to docspace, again Stian has to press the Login link, but doesn't have to provide a username or password, but instead is simply redirected back to the application as a logged in user. Stian is actually a bit confused about this as he just logged in to an application without providing a username or password.

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Wednesday, 23 October, 2013 7:18:09 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm Ignore HTML5 and JavaScript it has nothing to do with this issue! See comment inline: ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Wednesday, 23 October, 2013 7:06:20 PM > Subject: Re: [keycloak-dev] Automatically login user to application when > logged into realm > > > > On 10/23/2013 12:50 PM, Stian Thorgersen wrote: > > I don't see how that would work. The server-side adapter doesn't set a > > cookie until after the user has logged in (the cookie is also specific to > > the application). The only thing that knows if a user is logged in to the > > SSO realm is Keycloak itself. At the moment there's no way for an > > application (client or server side) to check this without ending up > > showing the login form if it isn't! > > > > You don't need to know if you are logged into the auth-server. You just > need to know if you are logged into the application. > > > What you want to be able to do is to have users automatically logged in > > to > > applications (on different servers, with different application > > credentials) once a user has logged in to a single application. > > > > Either I've failed to explain the use-case properly, or there's something > > about what you're proposing I'm not understanding. Just to make sure I'm > > explaining the use-case properly, I'll try again: > > > > A company has an internal Keycloak server, they have a single realm with > > multiple internal applications. All applications are hosted on different > > servers. Let's imagine this company is called Red Hat. The user, let's > > call him Stian, first goes to the OrangeHRM to book some long overdue > > holiday. He's not currently logged in to the realm so is is shown an > > anonymous access screen instead with a login link. Stian presses login, > > fills in username and password and successfully logs in to the realm. Now > > Stian wants to go to docspace, again Stian has to press the Login link, > > but doesn't have to provide a username or password, but instead is simply > > redirected back to the application as a logged in user. Stian is actually > > a bit confused about this as he just logged in to an application without > > providing a username or password. > > > > The demo currently works like this: > > 1. User access app1 > 2. User redirected to auth-server > 3. Auth-server logs in sets cookie for auth-server.com > 4. auth-server redirects back to app1 > 5. App1 gets access token > 6. App1 does role mappings stores in HttpSession > 7. App1 knows user is logged in because of HttpSession (standard Servlet > stuff) > 8. User visits app2 > 9. App2 redirects to auth-server This is where the problem lies. If the user is not logged in to the realm the login form will be displayed. So you can not automatically redirect the user to the auth-server! You would have to wait until the user clicks on the login link. This means if there's 10 apps the user has to click on login 10 times! > 10. auth-server sees auth-server.com domain login cookie, redirects back > to app2 > 11. user can access app2 right away without credentials. > 12. user goes back to app1. User is still logged in there because the > HttpSession is still valid > > Now add your HTML5 app. HTML5 will also need to maintain a "session". > I can do this via a session cookie for HTML5's domain > > 12. User visits HTML5, HTML5 looks for a session loggin cookie for > HTML5's domain. Doesn't find one, so it automatically redirects to > auth-server > 13. Auth-server sees user is already logged in, redirects back to HTML5 app > 14. HTML5 app gets access token, sets a session loggin cookie > 15. User goes back to App2. App2 knows user is logged in because of > App2 session cookie. > 16. user goes back to HTML5. HTML5 app knows user is logged in because > of session cookie > 15. HTML 5 app wants to logout and login as a different user > 16. Logout action dumps the HTML5-domain session cookie > 17. Logout action sends CORS HTTP request to auth-server to logout user > cross-domain. Auth-server invalidates auth-server session cookie on > response. > > HTML5 clients are allowed to set cookies. > > The HTML5 app would work exactly the same as servlet security except the > browser would handle all the authentication within javascript. There's > improvements we need to make with refresh tokens, but the core of the > protocol is there. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Wednesday, 23 October, 2013 8:18:32 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm Did you even read my response? I completely mapped out the entire flow of how it works *now* in our demo and how it could work with a pure HTML5 app. Go play with the demo to understand things better maybe? You talkd about this before: > A company has an internal Keycloak server, they have a single realm with multiple internal applications. All applications are hosted on different servers. Let's imagine this company is called Red Hat. The user, let's call him Stian, first goes to the OrangeHRM to book some long overdue holiday. He's not currently logged in to the realm so is is shown an anonymous access screen instead with a login link. Stian presses login, fills in username and password and successfully logs in to the realm. Now Stian wants to go to docspace, again Stian has to press the Login link, but doesn't have to provide a username or password, but instead is simply redirected back to the application as a logged in user. Stian is actually a bit confused about this as he just logged in to an application without providing a username or password. What you describe is not how our demo works nor will it ever work that way. You log in once to the auth server, any app you visit knows who you are. There's no need to click a "login" button when you visit a new site. HTML5 app would work exactly the same way as any of the WARs in the Keycloak demo code except all the redirect and cookie processing would happen within Javascript within the browser. There's just no need for your extra "no-forms" invocation! The login check is already built into the protocol. http://www.tizag.com/javascriptT/javascriptredirect.php -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Wednesday, 23 October, 2013 10:01:41 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm I guess I see what you mean. You want to be able to show a login/register links on the *application's* page and not just redirect immediately to the keycloak screens when you first visit the page. I guess I'm thinking too old school Java EE app that would automatically bring you to the login screen if you access secured content. I feel like a dinosaur sometimes. Too bad I still have 20 year until I retire. Apologies for wasting your time. Gonna have to figure out how to support this scenario for a traditional web app too. On 10/23/2013 3:58 PM, Stian Thorgersen wrote: > Yes I read your response and yes I have played with your demo. > > Let's then revisit this with the demo in mind, and you can tell me where > I'm mistaken. > > I visit http://localhost:8080/customer-portal/. The urls '/admins/*' > require the admin role and '/customers/*' requires the user role. If I > click on a link taking me to any of these pages the adapter redirects me > to the auth-server. In this case it works, as if I try to visit a private > url I should be presented with a login form if I'm not already logged in. > So there's no problem that the adapter automatically redirects me to the > auth-server. > > Now, imagine that this is an real application. Where the front-page would, > if the user is not logged in, show "Login" and "Register" links, and would > not show links to pages that an anonymous user is not allowed to access > (for example 'Customer Listing'). If a user is logged in the application > would not show 'Login' and 'Register' but instead show 'Hello User, > welcome back' and would include links to pages that particular user is > allowed to access (for example if the current user had the role user, but > not admin, only the 'Customer Listing', not the 'Customer Admin Interface' > link, would be displayed). > > How would I be able to implement that behaviour with the current way > Keycloak works? > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Wednesday, 23 October, 2013 8:18:32 PM >> Subject: Re: [keycloak-dev] Automatically login user to application when >> logged into realm >> >> Did you even read my response? I completely mapped out the entire flow >> of how it works *now* in our demo and how it could work with a pure >> HTML5 app. Go play with the demo to understand things better maybe? >> >> You talkd about this before: >> > A company has an internal Keycloak server, they have a single realm >> with multiple internal applications. All applications are hosted on >> different servers. Let's imagine this company is called Red Hat. The >> user, let's call him Stian, first goes to the OrangeHRM to book some >> long overdue holiday. He's not currently logged in to the realm so is is >> shown an anonymous access screen instead with a login link. Stian >> presses login, fills in username and password and successfully logs in >> to the realm. Now Stian wants to go to docspace, again Stian has to >> press the Login link, but doesn't have to provide a username or >> password, but instead is simply redirected back to the application as a >> logged in user. Stian is actually a bit confused about this as he just >> logged in to an application without providing a username or password. >> >> >> >> What you describe is not how our demo works nor will it ever work that >> way. You log in once to the auth server, any app you visit knows who >> you are. There's no need to click a "login" button when you visit a new >> site. HTML5 app would work exactly the same way as any of the WARs in >> the Keycloak demo code except all the redirect and cookie processing >> would happen within Javascript within the browser. There's just no need >> for your extra "no-forms" invocation! The login check is already built >> into the protocol. >> >> http://www.tizag.com/javascriptT/javascriptredirect.php >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

From: "Bill Burke" <bburke(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, 24 October, 2013 1:13:40 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm Not to drag this on, but take a look at how google does it. If you are not logged in, and you go to gmail.com, you are redirected immediately to accounts.google.com and you must log in there. After you login you are redirected back to gmail.com. If you leave gmail.com and visit another website, then come back to gmail.com, it does an immediate redirect to accounts.google.com which then immediately redirects you back to gmail. So, I feel better. I'm not so old school... :). Google works pretty much the same way the keycloak demo works. There is one difference though that I i'm not sure if we should follow: I'm guessing that to implement single sign off, Google will always redirect to accounts.google.com to check to see if you're logged in when you visit a google page. On 10/24/2013 5:17 AM, Stian Thorgersen wrote: > No worries, it's one of those things that happens with trying to explain > something over email/IRC. > > I think it should be an optional feature support by all adapters. For the > AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' > ({..., 'auto-login' : true }?). If it's enabled and the first request is > to an unsecured resource it would redirect to 'auth/login?prompt=none'. > I'm happy to add a proposal to the AS7 adapter if you'd like. > I don't think this approach can work very well in old-school web apps, if at all. For pure Servlet apps you're either accessing a secure area or you're not. A URL can't be both secure and unsecure at the same time. Plus, if you have any kind of latency, a full browser redirect just to check if you're logged in with the auth-server is going to be pretty ugly. The application adapter *DOES* still need an amILoggedIn REST call. By default it should just return: { "loggedIn" : true, "user" : "wburke" } If you set a flag in resteasy-oauth.json, it will also contain the access token { loggedIn : true, "user" : "wburke", "token" : "asdfasdfasdfqwerqwer" } amILoggedIn would be authenticated by a http-only cookie. > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Wednesday, 23 October, 2013 10:01:41 PM >> Subject: Re: [keycloak-dev] Automatically login user to application when >> logged into realm >> >> I guess I see what you mean. You want to be able to show a >> login/register links on the *application's* page and not just redirect >> immediately to the keycloak screens when you first visit the page. I >> guess I'm thinking too old school Java EE app that would automatically >> bring you to the login screen if you access secured content. I feel >> like a dinosaur sometimes. Too bad I still have 20 year until I retire. >> >> Apologies for wasting your time. >> >> Gonna have to figure out how to support this scenario for a traditional >> web app too. >> >> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>> Yes I read your response and yes I have played with your demo. >>> >>> Let's then revisit this with the demo in mind, and you can tell me where >>> I'm mistaken. >>> >>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >>> require the admin role and '/customers/*' requires the user role. If I >>> click on a link taking me to any of these pages the adapter redirects me >>> to the auth-server. In this case it works, as if I try to visit a private >>> url I should be presented with a login form if I'm not already logged in. >>> So there's no problem that the adapter automatically redirects me to the >>> auth-server. >>> >>> Now, imagine that this is an real application. Where the front-page >>> would, >>> if the user is not logged in, show "Login" and "Register" links, and >>> would >>> not show links to pages that an anonymous user is not allowed to access >>> (for example 'Customer Listing'). If a user is logged in the application >>> would not show 'Login' and 'Register' but instead show 'Hello User, >>> welcome back' and would include links to pages that particular user is >>> allowed to access (for example if the current user had the role user, but >>> not admin, only the 'Customer Listing', not the 'Customer Admin >>> Interface' >>> link, would be displayed). >>> >>> How would I be able to implement that behaviour with the current way >>> Keycloak works? >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>> Cc: keycloak-dev(a)lists.jboss.org >>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>> logged into realm >>>> >>>> Did you even read my response? I completely mapped out the entire flow >>>> of how it works *now* in our demo and how it could work with a pure >>>> HTML5 app. Go play with the demo to understand things better maybe? >>>> >>>> You talkd about this before: >>>> > A company has an internal Keycloak server, they have a single realm >>>> with multiple internal applications. All applications are hosted on >>>> different servers. Let's imagine this company is called Red Hat. The >>>> user, let's call him Stian, first goes to the OrangeHRM to book some >>>> long overdue holiday. He's not currently logged in to the realm so is is >>>> shown an anonymous access screen instead with a login link. Stian >>>> presses login, fills in username and password and successfully logs in >>>> to the realm. Now Stian wants to go to docspace, again Stian has to >>>> press the Login link, but doesn't have to provide a username or >>>> password, but instead is simply redirected back to the application as a >>>> logged in user. Stian is actually a bit confused about this as he just >>>> logged in to an application without providing a username or password. >>>> >>>> >>>> >>>> What you describe is not how our demo works nor will it ever work that >>>> way. You log in once to the auth server, any app you visit knows who >>>> you are. There's no need to click a "login" button when you visit a new >>>> site. HTML5 app would work exactly the same way as any of the WARs in >>>> the Keycloak demo code except all the redirect and cookie processing >>>> would happen within Javascript within the browser. There's just no need >>>> for your extra "no-forms" invocation! The login check is already built >>>> into the protocol. >>>> >>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

By the way that's not how gmail.com works for me. I just tried to open gmail.com in an incognito window and was redirected to https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form. ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 24 October, 2013 1:13:40 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > Not to drag this on, but take a look at how google does it. > > If you are not logged in, and you go to gmail.com, you are redirected > immediately to accounts.google.com and you must log in there. After you > login you are redirected back to gmail.com. > > If you leave gmail.com and visit another website, then come back to > gmail.com, it does an immediate redirect to accounts.google.com which > then immediately redirects you back to gmail. > > So, I feel better. I'm not so old school... :). Google works pretty > much the same way the keycloak demo works. There is one difference > though that I i'm not sure if we should follow: I'm guessing that to > implement single sign off, Google will always redirect to > accounts.google.com to check to see if you're logged in when you visit a > google page. > > > On 10/24/2013 5:17 AM, Stian Thorgersen wrote: >> No worries, it's one of those things that happens with trying to explain >> something over email/IRC. >> >> I think it should be an optional feature support by all adapters. For the >> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' >> ({..., 'auto-login' : true }?). If it's enabled and the first request is >> to an unsecured resource it would redirect to 'auth/login?prompt=none'. >> I'm happy to add a proposal to the AS7 adapter if you'd like. >> > > I don't think this approach can work very well in old-school web apps, > if at all. For pure Servlet apps you're either accessing a secure area > or you're not. A URL can't be both secure and unsecure at the same > time. Plus, if you have any kind of latency, a full browser redirect > just to check if you're logged in with the auth-server is going to be > pretty ugly. > > The application adapter *DOES* still need an amILoggedIn REST call. By > default it should just return: > > { > "loggedIn" : true, > "user" : "wburke" > } > > If you set a flag in resteasy-oauth.json, it will also contain the > access token > > { > loggedIn : true, > "user" : "wburke", > "token" : "asdfasdfasdfqwerqwer" > } > > amILoggedIn would be authenticated by a http-only cookie. > > >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Wednesday, 23 October, 2013 10:01:41 PM >>> Subject: Re: [keycloak-dev] Automatically login user to application when >>> logged into realm >>> >>> I guess I see what you mean. You want to be able to show a >>> login/register links on the *application's* page and not just redirect >>> immediately to the keycloak screens when you first visit the page. I >>> guess I'm thinking too old school Java EE app that would automatically >>> bring you to the login screen if you access secured content. I feel >>> like a dinosaur sometimes. Too bad I still have 20 year until I retire. >>> >>> Apologies for wasting your time. >>> >>> Gonna have to figure out how to support this scenario for a traditional >>> web app too. >>> >>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>>> Yes I read your response and yes I have played with your demo. >>>> >>>> Let's then revisit this with the demo in mind, and you can tell me where >>>> I'm mistaken. >>>> >>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >>>> require the admin role and '/customers/*' requires the user role. If I >>>> click on a link taking me to any of these pages the adapter redirects me >>>> to the auth-server. In this case it works, as if I try to visit a private >>>> url I should be presented with a login form if I'm not already logged in. >>>> So there's no problem that the adapter automatically redirects me to the >>>> auth-server. >>>> >>>> Now, imagine that this is an real application. Where the front-page >>>> would, >>>> if the user is not logged in, show "Login" and "Register" links, and >>>> would >>>> not show links to pages that an anonymous user is not allowed to access >>>> (for example 'Customer Listing'). If a user is logged in the application >>>> would not show 'Login' and 'Register' but instead show 'Hello User, >>>> welcome back' and would include links to pages that particular user is >>>> allowed to access (for example if the current user had the role user, but >>>> not admin, only the 'Customer Listing', not the 'Customer Admin >>>> Interface' >>>> link, would be displayed). >>>> >>>> How would I be able to implement that behaviour with the current way >>>> Keycloak works? >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>>> logged into realm >>>>> >>>>> Did you even read my response? I completely mapped out the entire flow >>>>> of how it works *now* in our demo and how it could work with a pure >>>>> HTML5 app. Go play with the demo to understand things better maybe? >>>>> >>>>> You talkd about this before: >>>>> > A company has an internal Keycloak server, they have a single realm >>>>> with multiple internal applications. All applications are hosted on >>>>> different servers. Let's imagine this company is called Red Hat. The >>>>> user, let's call him Stian, first goes to the OrangeHRM to book some >>>>> long overdue holiday. He's not currently logged in to the realm so is is >>>>> shown an anonymous access screen instead with a login link. Stian >>>>> presses login, fills in username and password and successfully logs in >>>>> to the realm. Now Stian wants to go to docspace, again Stian has to >>>>> press the Login link, but doesn't have to provide a username or >>>>> password, but instead is simply redirected back to the application as a >>>>> logged in user. Stian is actually a bit confused about this as he just >>>>> logged in to an application without providing a username or password. >>>>> >>>>> >>>>> >>>>> What you describe is not how our demo works nor will it ever work that >>>>> way. You log in once to the auth server, any app you visit knows who >>>>> you are. There's no need to click a "login" button when you visit a new >>>>> site. HTML5 app would work exactly the same way as any of the WARs in >>>>> the Keycloak demo code except all the redirect and cookie processing >>>>> would happen within Javascript within the browser. There's just no need >>>>> for your extra "no-forms" invocation! The login check is already built >>>>> into the protocol. >>>>> >>>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >

Yes it goes through accounts.google.com. Google often have different regional behaviour though. Did you see the amazon example I wrote before? Did the same mistake of replying twice again :/ ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 24 October, 2013 1:56:29 PM > Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm > > Weird. Firefox 24 and IE 10 on Windows for me works the way I > described. What do the logged HTTP requests look like? Does it go > through accounts.google.com? > > On 10/24/2013 8:37 AM, Stian Thorgersen wrote: >> By the way that's not how gmail.com works for me. I just tried to open >> gmail.com in an incognito window and was redirected to >> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form. >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Thursday, 24 October, 2013 1:13:40 PM >>> Subject: Re: [keycloak-dev] Automatically login user to application when >>> logged into realm >>> >>> Not to drag this on, but take a look at how google does it. >>> >>> If you are not logged in, and you go to gmail.com, you are redirected >>> immediately to accounts.google.com and you must log in there. After you >>> login you are redirected back to gmail.com. >>> >>> If you leave gmail.com and visit another website, then come back to >>> gmail.com, it does an immediate redirect to accounts.google.com which >>> then immediately redirects you back to gmail. >>> >>> So, I feel better. I'm not so old school... :). Google works pretty >>> much the same way the keycloak demo works. There is one difference >>> though that I i'm not sure if we should follow: I'm guessing that to >>> implement single sign off, Google will always redirect to >>> accounts.google.com to check to see if you're logged in when you visit a >>> google page. >>> >>> >>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote: >>>> No worries, it's one of those things that happens with trying to explain >>>> something over email/IRC. >>>> >>>> I think it should be an optional feature support by all adapters. For the >>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' >>>> ({..., 'auto-login' : true }?). If it's enabled and the first request is >>>> to an unsecured resource it would redirect to 'auth/login?prompt=none'. >>>> I'm happy to add a proposal to the AS7 adapter if you'd like. >>>> >>> >>> I don't think this approach can work very well in old-school web apps, >>> if at all. For pure Servlet apps you're either accessing a secure area >>> or you're not. A URL can't be both secure and unsecure at the same >>> time. Plus, if you have any kind of latency, a full browser redirect >>> just to check if you're logged in with the auth-server is going to be >>> pretty ugly. >>> >>> The application adapter *DOES* still need an amILoggedIn REST call. By >>> default it should just return: >>> >>> { >>> "loggedIn" : true, >>> "user" : "wburke" >>> } >>> >>> If you set a flag in resteasy-oauth.json, it will also contain the >>> access token >>> >>> { >>> loggedIn : true, >>> "user" : "wburke", >>> "token" : "asdfasdfasdfqwerqwer" >>> } >>> >>> amILoggedIn would be authenticated by a http-only cookie. >>> >>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM >>>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>>> logged into realm >>>>> >>>>> I guess I see what you mean. You want to be able to show a >>>>> login/register links on the *application's* page and not just redirect >>>>> immediately to the keycloak screens when you first visit the page. I >>>>> guess I'm thinking too old school Java EE app that would automatically >>>>> bring you to the login screen if you access secured content. I feel >>>>> like a dinosaur sometimes. Too bad I still have 20 year until I retire. >>>>> >>>>> Apologies for wasting your time. >>>>> >>>>> Gonna have to figure out how to support this scenario for a traditional >>>>> web app too. >>>>> >>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>>>>> Yes I read your response and yes I have played with your demo. >>>>>> >>>>>> Let's then revisit this with the demo in mind, and you can tell me >>>>>> where >>>>>> I'm mistaken. >>>>>> >>>>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*' >>>>>> require the admin role and '/customers/*' requires the user role. If I >>>>>> click on a link taking me to any of these pages the adapter redirects >>>>>> me >>>>>> to the auth-server. In this case it works, as if I try to visit a >>>>>> private >>>>>> url I should be presented with a login form if I'm not already logged >>>>>> in. >>>>>> So there's no problem that the adapter automatically redirects me to >>>>>> the >>>>>> auth-server. >>>>>> >>>>>> Now, imagine that this is an real application. Where the front-page >>>>>> would, >>>>>> if the user is not logged in, show "Login" and "Register" links, and >>>>>> would >>>>>> not show links to pages that an anonymous user is not allowed to access >>>>>> (for example 'Customer Listing'). If a user is logged in the >>>>>> application >>>>>> would not show 'Login' and 'Register' but instead show 'Hello User, >>>>>> welcome back' and would include links to pages that particular user is >>>>>> allowed to access (for example if the current user had the role user, >>>>>> but >>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin >>>>>> Interface' >>>>>> link, would be displayed). >>>>>> >>>>>> How would I be able to implement that behaviour with the current way >>>>>> Keycloak works? >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application >>>>>>> when >>>>>>> logged into realm >>>>>>> >>>>>>> Did you even read my response? I completely mapped out the entire >>>>>>> flow >>>>>>> of how it works *now* in our demo and how it could work with a pure >>>>>>> HTML5 app. Go play with the demo to understand things better maybe? >>>>>>> >>>>>>> You talkd about this before: >>>>>>> > A company has an internal Keycloak server, they have a single >>>>>>> > realm >>>>>>> with multiple internal applications. All applications are hosted on >>>>>>> different servers. Let's imagine this company is called Red Hat. The >>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book some >>>>>>> long overdue holiday. He's not currently logged in to the realm so is >>>>>>> is >>>>>>> shown an anonymous access screen instead with a login link. Stian >>>>>>> presses login, fills in username and password and successfully logs in >>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has to >>>>>>> press the Login link, but doesn't have to provide a username or >>>>>>> password, but instead is simply redirected back to the application as >>>>>>> a >>>>>>> logged in user. Stian is actually a bit confused about this as he just >>>>>>> logged in to an application without providing a username or password. >>>>>>> >>>>>>> >>>>>>> >>>>>>> What you describe is not how our demo works nor will it ever work that >>>>>>> way. You log in once to the auth server, any app you visit knows who >>>>>>> you are. There's no need to click a "login" button when you visit a >>>>>>> new >>>>>>> site. HTML5 app would work exactly the same way as any of the WARs in >>>>>>> the Keycloak demo code except all the redirect and cookie processing >>>>>>> would happen within Javascript within the browser. There's just no >>>>>>> need >>>>>>> for your extra "no-forms" invocation! The login check is already >>>>>>> built >>>>>>> into the protocol. >>>>>>> >>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hat >>>>>>> http://bill.burkecentral.com >>>>>>> >>>>> >>>>> -- >>>>> Bill Burke >>>>> JBoss, a division of Red Hat >>>>> http://bill.burkecentral.com >>>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Thursday, 24 October, 2013 4:16:44 PM Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 24 October, 2013 2:52:59 PM > Subject: Re: [keycloak-dev] Automatically login user to application when > logged into realm > > Yeah, I saw amazon example. I think your amazon example is different > because they don't have to worry about single sign on. Amazon has SSO with LoveFilm! Are you really still claiming that the use-case I have where an application wants to do single-sign-on and have pages that adapt to whether or not a user is logged in (instead of simply showing a login form) is not something people are going to want to do? That's certainly how I would like my web apps to work if I was writing them. > > The current keycloak application adapter build on top of servlet > security and only requires a valve and the keycloak configuration file > and it just works. The style you are talking about would have to bypass > servlet security entirely and require custom application code to work. > This is why I don't think it should be promoted as a preferred solution. No it doesn't. The front-page for an application could have the following JSP code: <% if(request.getUserPrincipal() != null) { %> <h2>Hello <%=request.getUserPrincipal%></h2> <% } else { <% <h2>Click here to <a href="...">login</a></h2> %> <ul class="menu"> <li><a href="public/index.html">Some public page</a></li> <% if(request.getUserPrincipal() != null) { <li><a href="private/index.html">Some restricted page</a></li> } %> When opening the front-page the prompt=none would be used to login a user if the user is already logged in to the realm. If the user visits 'private/index.html' first, then it should result in the login form if the user is not already logged in, so in this case prompt=none wouldn't be used. > > The preferred solution should be a server-side driven authentication > with private client credentials for both javascript and old-school apps. > For Servlet environments, the constraints of servlet security should > be used to keep setup simple. > > > On 10/24/2013 9:00 AM, Stian Thorgersen wrote: > > Yes it goes through accounts.google.com. Google often have different > > regional behaviour though. > > > > Did you see the amazon example I wrote before? Did the same mistake of > > replying twice again :/ > > > > ----- Original Message ----- > >> From: "Bill Burke" <bburke(a)redhat.com&gt; > >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >> Cc: keycloak-dev(a)lists.jboss.org > >> Sent: Thursday, 24 October, 2013 1:56:29 PM > >> Subject: Re: [keycloak-dev] Automatically login user to application when > >> logged into realm > >> > >> Weird. Firefox 24 and IE 10 on Windows for me works the way I > >> described. What do the logged HTTP requests look like? Does it go > >> through accounts.google.com? > >> > >> On 10/24/2013 8:37 AM, Stian Thorgersen wrote: > >>> By the way that's not how gmail.com works for me. I just tried to open > >>> gmail.com in an incognito window and was redirected to > >>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login > >>> form. > >>> > >>> ----- Original Message ----- > >>>> From: "Bill Burke" <bburke(a)redhat.com&gt; > >>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>> Cc: keycloak-dev(a)lists.jboss.org > >>>> Sent: Thursday, 24 October, 2013 1:13:40 PM > >>>> Subject: Re: [keycloak-dev] Automatically login user to application > >>>> when > >>>> logged into realm > >>>> > >>>> Not to drag this on, but take a look at how google does it. > >>>> > >>>> If you are not logged in, and you go to gmail.com, you are redirected > >>>> immediately to accounts.google.com and you must log in there. After > >>>> you > >>>> login you are redirected back to gmail.com. > >>>> > >>>> If you leave gmail.com and visit another website, then come back to > >>>> gmail.com, it does an immediate redirect to accounts.google.com which > >>>> then immediately redirects you back to gmail. > >>>> > >>>> So, I feel better. I'm not so old school... :). Google works pretty > >>>> much the same way the keycloak demo works. There is one difference > >>>> though that I i'm not sure if we should follow: I'm guessing that to > >>>> implement single sign off, Google will always redirect to > >>>> accounts.google.com to check to see if you're logged in when you visit > >>>> a > >>>> google page. > >>>> > >>>> > >>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote: > >>>>> No worries, it's one of those things that happens with trying to > >>>>> explain > >>>>> something over email/IRC. > >>>>> > >>>>> I think it should be an optional feature support by all adapters. For > >>>>> the > >>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' > >>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request > >>>>> is > >>>>> to an unsecured resource it would redirect to > >>>>> 'auth/login?prompt=none'. > >>>>> I'm happy to add a proposal to the AS7 adapter if you'd like. > >>>>> > >>>> > >>>> I don't think this approach can work very well in old-school web apps, > >>>> if at all. For pure Servlet apps you're either accessing a secure > >>>> area > >>>> or you're not. A URL can't be both secure and unsecure at the same > >>>> time. Plus, if you have any kind of latency, a full browser redirect > >>>> just to check if you're logged in with the auth-server is going to be > >>>> pretty ugly. > >>>> > >>>> The application adapter *DOES* still need an amILoggedIn REST call. > >>>> By > >>>> default it should just return: > >>>> > >>>> { > >>>> "loggedIn" : true, > >>>> "user" : "wburke" > >>>> } > >>>> > >>>> If you set a flag in resteasy-oauth.json, it will also contain the > >>>> access token > >>>> > >>>> { > >>>> loggedIn : true, > >>>> "user" : "wburke", > >>>> "token" : "asdfasdfasdfqwerqwer" > >>>> } > >>>> > >>>> amILoggedIn would be authenticated by a http-only cookie. > >>>> > >>>> > >>>>> ----- Original Message ----- > >>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; > >>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>>> Cc: keycloak-dev(a)lists.jboss.org > >>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM > >>>>>> Subject: Re: [keycloak-dev] Automatically login user to application > >>>>>> when > >>>>>> logged into realm > >>>>>> > >>>>>> I guess I see what you mean. You want to be able to show a > >>>>>> login/register links on the *application's* page and not just > >>>>>> redirect > >>>>>> immediately to the keycloak screens when you first visit the page. > >>>>>> I > >>>>>> guess I'm thinking too old school Java EE app that would > >>>>>> automatically > >>>>>> bring you to the login screen if you access secured content. I feel > >>>>>> like a dinosaur sometimes. Too bad I still have 20 year until I > >>>>>> retire. > >>>>>> > >>>>>> Apologies for wasting your time. > >>>>>> > >>>>>> Gonna have to figure out how to support this scenario for a > >>>>>> traditional > >>>>>> web app too. > >>>>>> > >>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: > >>>>>>> Yes I read your response and yes I have played with your demo. > >>>>>>> > >>>>>>> Let's then revisit this with the demo in mind, and you can tell me > >>>>>>> where > >>>>>>> I'm mistaken. > >>>>>>> > >>>>>>> I visit http://localhost:8080/customer-portal/. The urls > >>>>>>> '/admins/*' > >>>>>>> require the admin role and '/customers/*' requires the user role. > >>>>>>> If > >>>>>>> I > >>>>>>> click on a link taking me to any of these pages the adapter > >>>>>>> redirects > >>>>>>> me > >>>>>>> to the auth-server. In this case it works, as if I try to visit a > >>>>>>> private > >>>>>>> url I should be presented with a login form if I'm not already > >>>>>>> logged > >>>>>>> in. > >>>>>>> So there's no problem that the adapter automatically redirects me > >>>>>>> to > >>>>>>> the > >>>>>>> auth-server. > >>>>>>> > >>>>>>> Now, imagine that this is an real application. Where the front-page > >>>>>>> would, > >>>>>>> if the user is not logged in, show "Login" and "Register" links, > >>>>>>> and > >>>>>>> would > >>>>>>> not show links to pages that an anonymous user is not allowed to > >>>>>>> access > >>>>>>> (for example 'Customer Listing'). If a user is logged in the > >>>>>>> application > >>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User, > >>>>>>> welcome back' and would include links to pages that particular user > >>>>>>> is > >>>>>>> allowed to access (for example if the current user had the role > >>>>>>> user, > >>>>>>> but > >>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin > >>>>>>> Interface' > >>>>>>> link, would be displayed). > >>>>>>> > >>>>>>> How would I be able to implement that behaviour with the current > >>>>>>> way > >>>>>>> Keycloak works? > >>>>>>> > >>>>>>> ----- Original Message ----- > >>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; > >>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; > >>>>>>>> Cc: keycloak-dev(a)lists.jboss.org > >>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM > >>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to > >>>>>>>> application > >>>>>>>> when > >>>>>>>> logged into realm > >>>>>>>> > >>>>>>>> Did you even read my response? I completely mapped out the entire > >>>>>>>> flow > >>>>>>>> of how it works *now* in our demo and how it could work with a > >>>>>>>> pure > >>>>>>>> HTML5 app. Go play with the demo to understand things better > >>>>>>>> maybe? > >>>>>>>> > >>>>>>>> You talkd about this before: > >>>>>>>> > A company has an internal Keycloak server, they have a > >>>>>>>> > single > >>>>>>>> > realm > >>>>>>>> with multiple internal applications. All applications are hosted > >>>>>>>> on > >>>>>>>> different servers. Let's imagine this company is called Red Hat. > >>>>>>>> The > >>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book > >>>>>>>> some > >>>>>>>> long overdue holiday. He's not currently logged in to the realm so > >>>>>>>> is > >>>>>>>> is > >>>>>>>> shown an anonymous access screen instead with a login link. Stian > >>>>>>>> presses login, fills in username and password and successfully > >>>>>>>> logs > >>>>>>>> in > >>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has > >>>>>>>> to > >>>>>>>> press the Login link, but doesn't have to provide a username or > >>>>>>>> password, but instead is simply redirected back to the application > >>>>>>>> as > >>>>>>>> a > >>>>>>>> logged in user. Stian is actually a bit confused about this as he > >>>>>>>> just > >>>>>>>> logged in to an application without providing a username or > >>>>>>>> password. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> What you describe is not how our demo works nor will it ever work > >>>>>>>> that > >>>>>>>> way. You log in once to the auth server, any app you visit knows > >>>>>>>> who > >>>>>>>> you are. There's no need to click a "login" button when you visit > >>>>>>>> a > >>>>>>>> new > >>>>>>>> site. HTML5 app would work exactly the same way as any of the > >>>>>>>> WARs > >>>>>>>> in > >>>>>>>> the Keycloak demo code except all the redirect and cookie > >>>>>>>> processing > >>>>>>>> would happen within Javascript within the browser. There's just no > >>>>>>>> need > >>>>>>>> for your extra "no-forms" invocation! The login check is already > >>>>>>>> built > >>>>>>>> into the protocol. > >>>>>>>> > >>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Bill Burke > >>>>>>>> JBoss, a division of Red Hat > >>>>>>>> http://bill.burkecentral.com > >>>>>>>> > >>>>>> > >>>>>> -- > >>>>>> Bill Burke > >>>>>> JBoss, a division of Red Hat > >>>>>> http://bill.burkecentral.com > >>>>>> > >>>> > >>>> -- > >>>> Bill Burke > >>>> JBoss, a division of Red Hat > >>>> http://bill.burkecentral.com > >>>> > >> > >> -- > >> Bill Burke > >> JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

FWIW, Amazon does not have SSO. It has shared credentials, but not SSO. Tried it out on audible.com and amazon. Lovefilm doesn't even recognize my amazon account. Also GMAIL redirects automatically to an unprotected login page. My bank, brokerage, redirects automatically to an unprotected login or front page where I can log in. So, I know you think its absurd, but pretty much any site where security is even remotely important, an automatic redirect happens to an unprotected page. A better example would have been a news article or forum where you can read articles and comments but can't post comments until you log in. So in summary: * I'm not against no-forms call. I even said so, 2-3 emails ago. * After reviewing the jboss web adapter, a "login-check" could be done by the adapter. You just won't be able to have a page that can be both protected or unprotected. * I'm wary of the keycloak.js approach as it requires public application credentials which opens up keycloak for additional attacks. Read the OAuth spec for more details. I'm not sure how realistic some of the attacks are, but they do exist. I"ll have to review, but I'm not sure OpenID fits with the goals of Keycloak. OAuth is about granting access while OpenID is about establishing the identity of the user. On 10/25/2013 4:52 AM, Stian Thorgersen wrote: > OpenID connect has this option. This is a spec we should look at and seriously consider adding support for. > > ----- Original Message ----- >> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >> To: "Bill Burke" <bburke(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Thursday, 24 October, 2013 4:16:44 PM >> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm >> >> >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Thursday, 24 October, 2013 2:52:59 PM >>> Subject: Re: [keycloak-dev] Automatically login user to application when >>> logged into realm >>> >>> Yeah, I saw amazon example. I think your amazon example is different >>> because they don't have to worry about single sign on. >> Amazon has SSO with LoveFilm! Are you really still claiming that the use-case >> I have where an application wants to do single-sign-on and have pages that >> adapt to whether or not a user is logged in (instead of simply showing a >> login form) is not something people are going to want to do? That's >> certainly how I would like my web apps to work if I was writing them. >> >>> The current keycloak application adapter build on top of servlet >>> security and only requires a valve and the keycloak configuration file >>> and it just works. The style you are talking about would have to bypass >>> servlet security entirely and require custom application code to work. >>> This is why I don't think it should be promoted as a preferred solution. >> No it doesn't. The front-page for an application could have the following JSP >> code: >> >> <% >> if(request.getUserPrincipal() != null) { >> %> >> <h2>Hello <%=request.getUserPrincipal%></h2> >> <% } else { <% >> <h2>Click here to <a href="...">login</a></h2> >> %> >> >> <ul class="menu"> >> <li><a href="public/index.html">Some public page</a></li> >> <% >> if(request.getUserPrincipal() != null) { >> <li><a href="private/index.html">Some restricted page</a></li> >> } >> %> >> >> When opening the front-page the prompt=none would be used to login a user if >> the user is already logged in to the realm. If the user visits >> 'private/index.html' first, then it should result in the login form if the >> user is not already logged in, so in this case prompt=none wouldn't be used. >> >>> The preferred solution should be a server-side driven authentication >>> with private client credentials for both javascript and old-school apps. >>> For Servlet environments, the constraints of servlet security should >>> be used to keep setup simple. >>> >>> >>> On 10/24/2013 9:00 AM, Stian Thorgersen wrote: >>>> Yes it goes through accounts.google.com. Google often have different >>>> regional behaviour though. >>>> >>>> Did you see the amazon example I wrote before? Did the same mistake of >>>> replying twice again :/ >>>> >>>> ----- Original Message ----- >>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>> Sent: Thursday, 24 October, 2013 1:56:29 PM >>>>> Subject: Re: [keycloak-dev] Automatically login user to application when >>>>> logged into realm >>>>> >>>>> Weird. Firefox 24 and IE 10 on Windows for me works the way I >>>>> described. What do the logged HTTP requests look like? Does it go >>>>> through accounts.google.com? >>>>> >>>>> On 10/24/2013 8:37 AM, Stian Thorgersen wrote: >>>>>> By the way that's not how gmail.com works for me. I just tried to open >>>>>> gmail.com in an incognito window and was redirected to >>>>>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login >>>>>> form. >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>> Sent: Thursday, 24 October, 2013 1:13:40 PM >>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application >>>>>>> when >>>>>>> logged into realm >>>>>>> >>>>>>> Not to drag this on, but take a look at how google does it. >>>>>>> >>>>>>> If you are not logged in, and you go to gmail.com, you are redirected >>>>>>> immediately to accounts.google.com and you must log in there. After >>>>>>> you >>>>>>> login you are redirected back to gmail.com. >>>>>>> >>>>>>> If you leave gmail.com and visit another website, then come back to >>>>>>> gmail.com, it does an immediate redirect to accounts.google.com which >>>>>>> then immediately redirects you back to gmail. >>>>>>> >>>>>>> So, I feel better. I'm not so old school... :). Google works pretty >>>>>>> much the same way the keycloak demo works. There is one difference >>>>>>> though that I i'm not sure if we should follow: I'm guessing that to >>>>>>> implement single sign off, Google will always redirect to >>>>>>> accounts.google.com to check to see if you're logged in when you visit >>>>>>> a >>>>>>> google page. >>>>>>> >>>>>>> >>>>>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote: >>>>>>>> No worries, it's one of those things that happens with trying to >>>>>>>> explain >>>>>>>> something over email/IRC. >>>>>>>> >>>>>>>> I think it should be an optional feature support by all adapters. For >>>>>>>> the >>>>>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json' >>>>>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request >>>>>>>> is >>>>>>>> to an unsecured resource it would redirect to >>>>>>>> 'auth/login?prompt=none'. >>>>>>>> I'm happy to add a proposal to the AS7 adapter if you'd like. >>>>>>>> >>>>>>> I don't think this approach can work very well in old-school web apps, >>>>>>> if at all. For pure Servlet apps you're either accessing a secure >>>>>>> area >>>>>>> or you're not. A URL can't be both secure and unsecure at the same >>>>>>> time. Plus, if you have any kind of latency, a full browser redirect >>>>>>> just to check if you're logged in with the auth-server is going to be >>>>>>> pretty ugly. >>>>>>> >>>>>>> The application adapter *DOES* still need an amILoggedIn REST call. >>>>>>> By >>>>>>> default it should just return: >>>>>>> >>>>>>> { >>>>>>> "loggedIn" : true, >>>>>>> "user" : "wburke" >>>>>>> } >>>>>>> >>>>>>> If you set a flag in resteasy-oauth.json, it will also contain the >>>>>>> access token >>>>>>> >>>>>>> { >>>>>>> loggedIn : true, >>>>>>> "user" : "wburke", >>>>>>> "token" : "asdfasdfasdfqwerqwer" >>>>>>> } >>>>>>> >>>>>>> amILoggedIn would be authenticated by a http-only cookie. >>>>>>> >>>>>>> >>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM >>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application >>>>>>>>> when >>>>>>>>> logged into realm >>>>>>>>> >>>>>>>>> I guess I see what you mean. You want to be able to show a >>>>>>>>> login/register links on the *application's* page and not just >>>>>>>>> redirect >>>>>>>>> immediately to the keycloak screens when you first visit the page. >>>>>>>>> I >>>>>>>>> guess I'm thinking too old school Java EE app that would >>>>>>>>> automatically >>>>>>>>> bring you to the login screen if you access secured content. I feel >>>>>>>>> like a dinosaur sometimes. Too bad I still have 20 year until I >>>>>>>>> retire. >>>>>>>>> >>>>>>>>> Apologies for wasting your time. >>>>>>>>> >>>>>>>>> Gonna have to figure out how to support this scenario for a >>>>>>>>> traditional >>>>>>>>> web app too. >>>>>>>>> >>>>>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote: >>>>>>>>>> Yes I read your response and yes I have played with your demo. >>>>>>>>>> >>>>>>>>>> Let's then revisit this with the demo in mind, and you can tell me >>>>>>>>>> where >>>>>>>>>> I'm mistaken. >>>>>>>>>> >>>>>>>>>> I visit http://localhost:8080/customer-portal/. The urls >>>>>>>>>> '/admins/*' >>>>>>>>>> require the admin role and '/customers/*' requires the user role. >>>>>>>>>> If >>>>>>>>>> I >>>>>>>>>> click on a link taking me to any of these pages the adapter >>>>>>>>>> redirects >>>>>>>>>> me >>>>>>>>>> to the auth-server. In this case it works, as if I try to visit a >>>>>>>>>> private >>>>>>>>>> url I should be presented with a login form if I'm not already >>>>>>>>>> logged >>>>>>>>>> in. >>>>>>>>>> So there's no problem that the adapter automatically redirects me >>>>>>>>>> to >>>>>>>>>> the >>>>>>>>>> auth-server. >>>>>>>>>> >>>>>>>>>> Now, imagine that this is an real application. Where the front-page >>>>>>>>>> would, >>>>>>>>>> if the user is not logged in, show "Login" and "Register" links, >>>>>>>>>> and >>>>>>>>>> would >>>>>>>>>> not show links to pages that an anonymous user is not allowed to >>>>>>>>>> access >>>>>>>>>> (for example 'Customer Listing'). If a user is logged in the >>>>>>>>>> application >>>>>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User, >>>>>>>>>> welcome back' and would include links to pages that particular user >>>>>>>>>> is >>>>>>>>>> allowed to access (for example if the current user had the role >>>>>>>>>> user, >>>>>>>>>> but >>>>>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin >>>>>>>>>> Interface' >>>>>>>>>> link, would be displayed). >>>>>>>>>> >>>>>>>>>> How would I be able to implement that behaviour with the current >>>>>>>>>> way >>>>>>>>>> Keycloak works? >>>>>>>>>> >>>>>>>>>> ----- Original Message ----- >>>>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM >>>>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to >>>>>>>>>>> application >>>>>>>>>>> when >>>>>>>>>>> logged into realm >>>>>>>>>>> >>>>>>>>>>> Did you even read my response? I completely mapped out the entire >>>>>>>>>>> flow >>>>>>>>>>> of how it works *now* in our demo and how it could work with a >>>>>>>>>>> pure >>>>>>>>>>> HTML5 app. Go play with the demo to understand things better >>>>>>>>>>> maybe? >>>>>>>>>>> >>>>>>>>>>> You talkd about this before: >>>>>>>>>>> > A company has an internal Keycloak server, they have a >>>>>>>>>>> > single >>>>>>>>>>> > realm >>>>>>>>>>> with multiple internal applications. All applications are hosted >>>>>>>>>>> on >>>>>>>>>>> different servers. Let's imagine this company is called Red Hat. >>>>>>>>>>> The >>>>>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book >>>>>>>>>>> some >>>>>>>>>>> long overdue holiday. He's not currently logged in to the realm so >>>>>>>>>>> is >>>>>>>>>>> is >>>>>>>>>>> shown an anonymous access screen instead with a login link. Stian >>>>>>>>>>> presses login, fills in username and password and successfully >>>>>>>>>>> logs >>>>>>>>>>> in >>>>>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has >>>>>>>>>>> to >>>>>>>>>>> press the Login link, but doesn't have to provide a username or >>>>>>>>>>> password, but instead is simply redirected back to the application >>>>>>>>>>> as >>>>>>>>>>> a >>>>>>>>>>> logged in user. Stian is actually a bit confused about this as he >>>>>>>>>>> just >>>>>>>>>>> logged in to an application without providing a username or >>>>>>>>>>> password. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> What you describe is not how our demo works nor will it ever work >>>>>>>>>>> that >>>>>>>>>>> way. You log in once to the auth server, any app you visit knows >>>>>>>>>>> who >>>>>>>>>>> you are. There's no need to click a "login" button when you visit >>>>>>>>>>> a >>>>>>>>>>> new >>>>>>>>>>> site. HTML5 app would work exactly the same way as any of the >>>>>>>>>>> WARs >>>>>>>>>>> in >>>>>>>>>>> the Keycloak demo code except all the redirect and cookie >>>>>>>>>>> processing >>>>>>>>>>> would happen within Javascript within the browser. There's just no >>>>>>>>>>> need >>>>>>>>>>> for your extra "no-forms" invocation! The login check is already >>>>>>>>>>> built >>>>>>>>>>> into the protocol. >>>>>>>>>>> >>>>>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Bill Burke >>>>>>>>>>> JBoss, a division of Red Hat >>>>>>>>>>> http://bill.burkecentral.com >>>>>>>>>>> >>>>>>>>>>>