Thanks for your input :)
The redirect would only work after a successful authentication,
so unauthenticated users couldn't "probe" the realm for clients / target
urls.
But I see your point that an authenticated "malicious" user could probe all
clients if he knew all clientIds (potentially via the new API).
Perhaps one could offer a way to define some kind of grouping concept to
describe
which clients that can see each other (client group?) - so only clients
from within the
same group would be eligible for such a redirect.
Btw. I adapted your suggestion regarding the endpoint path (which is now:
{realm}/clients/{client_id}/redirect)
and created a JIRA issue [0] and PR [1] with my current impl as a base for
further discussion.
Another thing is that it is related to a feature we want to add at
some
point.
We'd like to be able to have a SSO > page that lists all
clients,
including icons and links to the clients.
This would have two use-cases:
1. As a landing page on SSO server, and as a way for users to find all
applications
they can login to
This would be really helpful - is this supposed to replace the applications
section in the account page?
2. A rest service would enable applications to get a list of all
clients
and provide a link
to other applications in the realm (like Google does with the square
boxes icon)
This would also be very helpful, currently I pull the information with the
keycloak admin client
in order to render such a page. A dedicated endpoint that returns clients
metadata in JSON format
would be neat. Are you planning to just build a dedicated page of all apps
or also a html/js widget like the 9 square app selector?
[0]
https://issues.jboss.org/browse/KEYCLOAK-2469
[1]
https://github.com/keycloak/keycloak/pull/2202
2016-02-09 12:18 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
> One concern with including this is if there's some potential way it can be
> a vulnerability.
>
> The only thing I can think of is that it allows figuring out the base url
> for a client. That could then be used to figure out valid redirect uris for
> a client. Don't think that's a huge deal though.
>
Another thing is that it is related to a feature we want to add at
some
> point. We'd like to be able to have a SSO page that lists all
clients,
> including icons and links to the clients. This would have two use-cases:
> 1. As a landing page on SSO server, and as a way for users to find all
> applications they can login to
2. A rest service would enable applications to get a list of all
clients
> and provide a link to other applications in the realm (like Google
does
> with the square boxes icon)
>
> With that in mind it would be better if the URL for client redirect was
> "{realm}/clients/{client-id}/redirect" as that would allows us to use
> "{realm}/clients" in the future for the above feature.
"{realm}/clients" is
> already used by ClientRegistrationService, but I think we can move that to
> "{realm}/clients/registration" as there's probably not that many
people
> that are using the client registration service yet.
>
> On 9 February 2016 at 12:02, Thomas Darimont <
> thomas.darimont(a)googlemail.com> wrote:
>
>> Hello,
>>
>> any ideas regarding this?
>>
>> We need to link to a default application from several applications and it
>> would be helpful if keycloak would provide said redirect mechanism, such
>> that
>> each application would only need to know the clientId of the default
>> client application and keycloak performs the proper redirect to the actual
>> target application.
>>
>> The example posted earlier works like a charm. This could even be
>> extended to the point that in case no clientId is given keycloak can decide
>> which client to redirect to.
>>
>> Cheers,
>> Thomas
>>
>> 2016-02-05 19:05 GMT+01:00 Thomas Darimont <
>> thomas.darimont(a)googlemail.com>:
>>
>>> Quick update - I did some further experiments with this...
>>>
>>> I added /redirect path to the a
>>> org.keycloak.services.resources.RealmsResource
>>> like: @Path("{realm}/{client-id}/redirect")
>>> see code fragment below.
>>>
>>> This allows keycloak to initiate a redirect to the browser with the
>>> actual
>>> target url of the client. Other clients now only need to now the realm
>>> and clientId
>>> to generate a link that eventually redirects to the target application.
>>>
>>> Usage:
>>> GET
http://localhost:8081/auth/realms/master/launchpad/redirect -> 302
>>> response with location:
http://apps.corp.local/launchpad
>>>
>>> Any chance to get this in as a PR?
>>>
>>> Cheers,
>>> Thomas
>>>
>>> @GET
>>> @Path("{realm}/{client-id}/redirect")
>>> public Response getRedirect(final @PathParam("realm") String
>>> realmName, final @PathParam("client-id") String clientId) throws
Exception{
>>>
>>> RealmModel realm = init(realmName);
>>>
>>> if (realm == null){
>>> return null;
>>> }
>>>
>>> ClientModel client = realm.getClientByClientId(clientId);
>>>
>>> if (client == null){
>>> return null;
>>> }
>>>
>>> if (client.getRootUrl() == null){
>>> return
>>>
Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build();
>>> }
>>>
>>> return Response.temporaryRedirect(URI.create(client.getRootUrl()
>>> + client.getBaseUrl())).build();
>>> }
>>>
>>> 2016-02-05 16:23 GMT+01:00 Thomas Darimont <
>>> thomas.darimont(a)googlemail.com>:
>>>
>>>> Hello,
>>>>
>>>> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme <
>>>> thomas.raehalme(a)aitiofinland.com>:
>>>>
>>>>> I understand this as well, but it has not been uncommon to encounter
a
>>>>> situation where the user needs to know where to go next, because
Keycloak
>>>>> doesn't have a link available.
>>>>
>>>>
>>>> with a redirect facility as outlined above - one could render a link to
>>>> the "$KEYCLOAK_BASE_URL/redirect" or
>>>> lookup the "default" client in order to render the client base
url link
>>>> with a proper label (client name).
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>>
>>>>
>>>
>>
>