3:58 a.m.
Hi all,
I have a html-frontend and i want to show the loginpage from keycloak as a part of this
frontend and not redirect to the loginpage. Is there a possibility to do this ?
My first thougt was an iframe, but what is the src for this ?
<div id="body">
<div id="content">
<div id="infoBox"></div>
<div class="verticalSpace"></div>
<div id="LoginView">
<iframe src="[Keycloak login view]"></iframe>
</div>
</div>
</div>
6:45 a.m.
New subject: Integrate the Keycloak Login view in my own html with iframe
We don't support using an iframe as it opens potential exploits (clickjacking, csrf,
xss).
If you are willing to accept the risk of these, or can mitigate them yourself, you can
implement this flow yourself in your application. Basically create a "login" and
callback pages on your app. The login page would redirect to Keycloak login page, Keycloak
would then redirect back to the callback page which is used to send the token to the main
window using window.postMessage.
----- Original Message -----
From: "Christoph Machnik"
<christoph.machnik(a)traveltainment.de>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, February 9, 2015 10:58:14 AM
Subject: [keycloak-user] Integrate the Keycloak Login view in my own html with iframe
Hi all,
I have a html-frontend and i want to show the loginpage from keycloak as a
part of this frontend and not redirect to the loginpage. Is there a
possibility to do this ?
My first thougt was an iframe, but what is the src for this ?
<div id="body">
<div id="content">
<div id="infoBox"></div>
<div class="verticalSpace"></div>
<div id="LoginView">
<iframe src=" [Keycloak login view] "></iframe>
</div>
</div>
</div>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:50 a.m.
On 2/23/2015 7:45 AM, Stian Thorgersen wrote:
We don't support using an iframe as it opens potential exploits
(clickjacking, csrf, xss).
Actually we might be able to. Currently we restrict this possibility by
setting the Content-Security-Policy header. The value of this header is
configurable in the admin console. IIRC, you can set up trusted origins
with this header. Don't remember. Or you could just shut it off.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
6:53 a.m.
Do we set x-frame-options? The OAuth spec recommends it,
http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, February 23, 2015 1:50:34 PM
Subject: Re: [keycloak-user] Integrate the Keycloak Login view in my own html with
iframe
On 2/23/2015 7:45 AM, Stian Thorgersen wrote:
> We don't support using an iframe as it opens potential exploits
> (clickjacking, csrf, xss).
>
Actually we might be able to. Currently we restrict this possibility by
setting the Content-Security-Policy header. The value of this header is
configurable in the admin console. IIRC, you can set up trusted origins
with this header. Don't remember. Or you could just shut it off.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:56 a.m.
Yes, look under Security Defenses tab. X-Frame-Options is actually
replaced by Content-Security-Policy
On 2/23/2015 7:53 AM, Stian Thorgersen wrote:
Do we set x-frame-options? The OAuth spec recommends it,
http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.13
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Monday, February 23, 2015 1:50:34 PM
> Subject: Re: [keycloak-user] Integrate the Keycloak Login view in my own html with
iframe
>
> On 2/23/2015 7:45 AM, Stian Thorgersen wrote:
>> We don't support using an iframe as it opens potential exploits
>> (clickjacking, csrf, xss).
>>
>
> Actually we might be able to. Currently we restrict this possibility by
> setting the Content-Security-Policy header. The value of this header is
> configurable in the admin console. IIRC, you can set up trusted origins
> with this header. Don't remember. Or you could just shut it off.
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3612
days inactive
3626
days old
4 comments
3 participants
participants (3)
-
Bill Burke -
Christoph Machnik -
Stian Thorgersen