4:36 a.m.
Hi,
I have 2 applications: one is desktop (Windows) and the other one is a web application.
My desktop application performs authentication and login using Keycloak, and getting a JWT
Access Token.
My web application is using the Keycloak JS adapter to perform the same.
After I login to my desktop application, is there a way to pass the generated access token
to the web application and continue the same session? Or at least have an SSO experience
and get another token for the user without the user entering the credentials again?
Maybe I can pass the token and refresh token from desktop application as init parameters
to the Keycloak-JS ?
I see the following code is checking if initOptions contains the token:
function processInit() {
var callback = parseCallback(window.location.href);
if (callback) {
window.history.replaceState({}, null, callback.newUrl);
}
if (callback && callback.valid) {
return setupCheckLoginIframe().success(function() {
processCallback(callback, initPromise);
}).error(function (e) {
initPromise.setError();
});
} else if (initOptions) {
if (initOptions.token && initOptions.refreshToken) {
setToken(initOptions.token, initOptions.refreshToken,
initOptions.idToken);
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
[cid:image001.png@01D2C8DE.BFF33E10]
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and
access”.
12:34 p.m.
Hello Ori,
How do you implement SSO for your desktop application? Are you using kcinit [1] or
KeycloakInstalled [2]?
Both will do interactive login via the system browser, that means, SSO cookies should be
shared with whatever web application that is run therein.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
[1] https://github.com/keycloak/kcinit
[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_...
On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote:
Hi,
I have 2 applications: one is desktop (Windows) and the other one is a web application.
My desktop application performs authentication and login using Keycloak, and getting a
JWT Access Token.
My web application is using the Keycloak JS adapter to perform the same.
After I login to my desktop application, is there a way to pass the generated access
token to the web application and continue the same session? Or at least have an SSO
experience and get another token for the user without the user entering the credentials
again?
Maybe I can pass the token and refresh token from desktop application as init parameters
to the Keycloak-JS ?
I see the following code is checking if initOptions contains the token:
function processInit() {
var callback = parseCallback(window.location.href);
if (callback) {
window.history.replaceState({}, null, callback.newUrl);
}
if (callback && callback.valid) {
return setupCheckLoginIframe().success(function() {
processCallback(callback, initPromise);
}).error(function (e) {
initPromise.setError();
});
} else if (initOptions) {
if (initOptions.token && initOptions.refreshToken) {
setToken(initOptions.token, initOptions.refreshToken,
initOptions.idToken);
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
> [cid:image001.png@01D2C8DE.BFF33E10]
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and
access”.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:15 a.m.
Hi Dmitry,
Thank you for answering.
In fact, the desktop app is not yet integrated to Keycloak and it is work to be done.
I'm not familiar with the desktop app since it is a 3rd party app not written by us.
If Java based, I thought of using one of the Keycloak Java adapters. If not, just get the
token with an HTTP[S] call (which seems that this is also what kcinit and
KeycloakInstalled are doing as well).
I was not familiar with kcinit or KeycloakInstalled before.
KeycloakInstalled might be a solution, but with limitations:
1) The desktop app must be written in Java.
2) It must be acceptable by the app designers to launch a browser for login.
3) If I understand correctly, it only performs a client level authentication, not
supporting username/password credentials authentication.
That leads me to the original question - can I have SSO without using cookies, and by
simply send the token to my web app as part of the starting URL (the desktop app will
launch the web app in a browser)?
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: Wednesday, November 14, 2018 20:34
To: Ori Doolman <Ori.Doolman(a)Amdocs.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] SSO experience
Hello Ori,
How do you implement SSO for your desktop application? Are you using kcinit [1] or
KeycloakInstalled [2]?
Both will do interactive login via the system browser, that means, SSO cookies should be
shared with whatever web application that is run therein.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
[1] https://github.com/keycloak/kcinit
[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_...
On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote:
Hi,
I have 2 applications: one is desktop (Windows) and the other one is a web application.
My desktop application performs authentication and login using Keycloak, and getting a
JWT Access Token.
My web application is using the Keycloak JS adapter to perform the same.
After I login to my desktop application, is there a way to pass the generated access
token to the web application and continue the same session? Or at least have an SSO
experience and get another token for the user without the user entering the credentials
again?
Maybe I can pass the token and refresh token from desktop application as init parameters
to the Keycloak-JS ?
I see the following code is checking if initOptions contains the token:
function processInit() {
var callback = parseCallback(window.location.href);
if (callback) {
window.history.replaceState({}, null, callback.newUrl);
}
if (callback && callback.valid) {
return setupCheckLoginIframe().success(function() {
processCallback(callback, initPromise);
}).error(function (e) {
initPromise.setError();
});
} else if (initOptions) {
if (initOptions.token && initOptions.refreshToken) {
setToken(initOptions.token, initOptions.refreshToken,
initOptions.idToken);
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
> [cid:image001.png@01D2C8DE.BFF33E10]
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and
access”.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
“Amdocs’ email platform is
based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be
processed and stored using such system and are accessible by third party providers of such
system on a limited basis. Your sending of emails to Amdocs evidences your consent to the
use of such system and such processing, storing and access”.
6:15 p.m.
Hi Ori, you're welcome,
On Thu, 2018-11-15 at 09:15 +0000, Ori Doolman wrote:
Hi Dmitry,
Thank you for answering.
In fact, the desktop app is not yet integrated to Keycloak and it is work to be done.
I'm not familiar with the desktop app since it is a 3rd party app not written by us.
If Java based, I thought of using one of the Keycloak Java adapters. If not, just get the
token with an HTTP[S] call (which seems that this is also what kcinit and
KeycloakInstalled are doing as well).
I was not familiar with kcinit or KeycloakInstalled before.
KeycloakInstalled might be a solution, but with limitations:
1) The desktop app must be written in Java.
2) It must be acceptable by the app designers to launch a browser for login.
3) If I understand correctly, it only performs a client level authentication, not
supporting username/password credentials authentication.
That leads me to the original question - can I have SSO without using cookies, and by
simply send the token to my web app as part of the starting URL (the desktop app will
launch the web app in a browser)?
Is this correct that your desktop app uses direct grant to authenticate a user with
login/password and to obtain tokens from Keycloak OIDC endpoint? This would imply that the
features like e.g. password reset or conditional OTP, available via Keycloak interactive
login only, would be unavailable.
If you're ok with this, I think what you're talking about should be
possible. Token size (and hence URL length) shouldn't be the issue, since modern
browsers are able to swallow really gigantic URLs (like "data:"). Obviously, it
will be the responsibility of your webapp to parse the token out of URL.
And please don't forget that you'll have to pass refresh token too, since access
tokens are short-lived and you'll need to refresh them.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
-----Original Message-----
> From: Dmitry Telegin <dt(a)acutus.pro>
Sent: Wednesday, November 14, 2018 20:34
> To: Ori Doolman <Ori.Doolman(a)Amdocs.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] SSO experience
Hello Ori,
How do you implement SSO for your desktop application? Are you using kcinit [1] or
KeycloakInstalled [2]?
Both will do interactive login via the system browser, that means, SSO cookies should be
shared with whatever web application that is run therein.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
[1] https://github.com/keycloak/kcinit
[2] https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_...
On Wed, 2018-11-14 at 10:36 +0000, Ori Doolman wrote:
> Hi,
> I have 2 applications: one is desktop (Windows) and the other one is a web
application.
> My desktop application performs authentication and login using Keycloak, and getting
a JWT Access Token.
> My web application is using the Keycloak JS adapter to perform the same.
>
> After I login to my desktop application, is there a way to pass the generated access
token to the web application and continue the same session? Or at least have an SSO
experience and get another token for the user without the user entering the credentials
again?
>
>
>
> Maybe I can pass the token and refresh token from desktop application as init
parameters to the Keycloak-JS ?
> I see the following code is checking if initOptions contains the token:
>
>
> function processInit() {
> var callback = parseCallback(window.location.href);
>
> if (callback) {
> window.history.replaceState({}, null, callback.newUrl);
> }
>
> if (callback && callback.valid) {
> return setupCheckLoginIframe().success(function() {
> processCallback(callback, initPromise);
> }).error(function (e) {
> initPromise.setError();
> });
> } else if (initOptions) {
> if (initOptions.token && initOptions.refreshToken) {
> setToken(initOptions.token, initOptions.refreshToken,
initOptions.idToken);
>
>
>
>
>
>
> Thanks,
>
> Ori Doolman
> Lead Software Architect
> Amdocs Optima
>
>
> > [cid:image001.png@01D2C8DE.BFF33E10]
>
> “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system.
Any emails sent to Amdocs will be processed and stored using such system and are
accessible by third party providers of such system on a limited basis. Your sending of
emails to Amdocs evidences your consent to the use of such system and such processing,
storing and access”.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any
emails sent to Amdocs will be processed and stored using such system and are accessible by
third party providers of such system on a limited basis. Your sending of emails to Amdocs
evidences your consent to the use of such system and such processing, storing and access”.
2242
days inactive
2247
days old
3 comments
2 participants
participants (2)
-
Dmitry Telegin -
Ori Doolman