Hiding login address from end user is really bad idea. User must see
keycloack dns name and be able to verify ssl certificate
If you really want to create your own login experience, there is an option
of using direct grant flow. But this way is also not recommended on public
apps, as users will be asked to enter their credentials on 3rd party site
that may be not trusted or compromised
пн, 15 янв. 2018 г. в 16:25, Kristoffer Skaret <kristoffer.skaret(a)gmail.com
:
Our organization is implementing an OIDC platform based on Keycloak,
and so
far we are over all happy with the result. But we are left with one major
issue regarding cookies and iframes.
Background:
- Our OIDC platform will be exposed through public domain on the
Internet, and will be used as an authentication service in a long range
of
different web sites
- As a result, the clients to our service will run on different domains
- Many of the client applications will prefer to present the OIDC user
interface in an iFrame
The problem came up when we tried running with this setup using the Safari
browser. As it seems, Safari treats cookies presented in an iframe as 3rd
party cookies. So the browser will refuse to save these, unless a similar
cookie has already been presented.
- Has anybody else experience with this issue?
- Any suggested solutions?
As we have learned, Keycloak is very dependent upon cookies regarding many
different aspects of the functionality. However, we are considering the
option to try and make a fork of Keycloak without the need for cookies.
Many aspects, such as cookie-based SSO are not relevant In our solution.
Thanks,
Kristoffer
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user