5:18 a.m.
One concern with including this is if there's some potential way it can be
a vulnerability.
The only thing I can think of is that it allows figuring out the base url
for a client. That could then be used to figure out valid redirect uris for
a client. Don't think that's a huge deal though.
Another thing is that it is related to a feature we want to add at some
point. We'd like to be able to have a SSO page that lists all clients,
including icons and links to the clients. This would have two use-cases:
1. As a landing page on SSO server, and as a way for users to find all
applications they can login to
2. A rest service would enable applications to get a list of all clients
and provide a link to other applications in the realm (like Google does
with the square boxes icon)
With that in mind it would be better if the URL for client redirect was
"{realm}/clients/{client-id}/redirect" as that would allows us to use
"{realm}/clients" in the future for the above feature.
"{realm}/clients" is
already used by ClientRegistrationService, but I think we can move that to
"{realm}/clients/registration" as there's probably not that many people
that are using the client registration service yet.
On 9 February 2016 at 12:02, Thomas Darimont <thomas.darimont(a)googlemail.com
wrote:
Hello,
any ideas regarding this?
We need to link to a default application from several applications and it
would be helpful if keycloak would provide said redirect mechanism, such
that
each application would only need to know the clientId of the default
client application and keycloak performs the proper redirect to the actual
target application.
The example posted earlier works like a charm. This could even be extended
to the point that in case no clientId is given keycloak can decide which
client to redirect to.
Cheers,
Thomas
2016-02-05 19:05 GMT+01:00 Thomas Darimont <thomas.darimont(a)googlemail.com
>:
> Quick update - I did some further experiments with this...
>
> I added /redirect path to the a
> org.keycloak.services.resources.RealmsResource
> like: @Path("{realm}/{client-id}/redirect")
> see code fragment below.
>
> This allows keycloak to initiate a redirect to the browser with the actual
> target url of the client. Other clients now only need to now the realm
> and clientId
> to generate a link that eventually redirects to the target application.
>
> Usage:
> GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302
> response with location: http://apps.corp.local/launchpad
>
> Any chance to get this in as a PR?
>
> Cheers,
> Thomas
>
> @GET
> @Path("{realm}/{client-id}/redirect")
> public Response getRedirect(final @PathParam("realm") String
> realmName, final @PathParam("client-id") String clientId) throws
Exception{
>
> RealmModel realm = init(realmName);
>
> if (realm == null){
> return null;
> }
>
> ClientModel client = realm.getClientByClientId(clientId);
>
> if (client == null){
> return null;
> }
>
> if (client.getRootUrl() == null){
> return
>
Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build();
> }
>
> return Response.temporaryRedirect(URI.create(client.getRootUrl()
> + client.getBaseUrl())).build();
> }
>
> 2016-02-05 16:23 GMT+01:00 Thomas Darimont <
> thomas.darimont(a)googlemail.com>:
>
>> Hello,
>>
>> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme <
>> thomas.raehalme(a)aitiofinland.com>:
>>
>>> I understand this as well, but it has not been uncommon to encounter a
>>> situation where the user needs to know where to go next, because Keycloak
>>> doesn't have a link available.
>>
>>
>> with a redirect facility as outlined above - one could render a link to
>> the "$KEYCLOAK_BASE_URL/redirect" or
>> lookup the "default" client in order to render the client base url
link
>> with a proper label (client name).
>>
>> Cheers,
>> Thomas
>>
>>
>>
>