[keycloak-dev] Keycloak and mobile

Matt Wringe mwringe at redhat.com
Wed Aug 14 14:45:05 EDT 2013 

Thoughts on some possible ways to handle mobile aspects with Keycloak. 
Its just a very brief outline of some of the options to get a 
conversation started. I tried to brief as possible, but the email is 
still a bit long :/

Mobile web app
Works similar to how any normal web app would work with keycloak. Only 
changes really needed would be to make sure the login pages and such are 
designed to work properly on varying sizes of touchscreens.


Native Mobile App Approaches

1)Native mobile app accessing keycloak through a custom webview.
Its possible for a native application to create a webview and load the 
web components of keycloak through this. Requires some changes to 
keycloak to return the token to the application since using a normal 
redirect url isn't feasible.
For social login there are a lot of problems with this approach. Its a 
custom webview, so the user will always have to enter their credentials 
(which defeats the point of social login as being easy). Its also a huge 
trust issues since a custom webview can easily steal credentials or 
spoof the content. Facebook will be blocking logins using webviews this 
fall due to the security concerns and will require using their sdk 
instead, other social networks may soon follow.

2)Native mobile app accessing a native keycloak service.
A native keycloak service could be created to be run on the mobile 
device which would handle account registration and login. The idea here 
is that the native keycloak component would be in contact with the 
keycloak server and would be managed there. This component would also 
register itself as an account authenticator so that other apps can use 
keycloak for authentication (in the same manner as apps do now for other 
social logins).
It would use the native social sdk or system account management system 
to perform social login. Once a social token is retrieve in the native 
keycloak component it would be sent to the keycloak server for 
verification and return a keycloak token.

Note: just to be clear, the keycloak mobile component would not be 
keycloak re-written on a mobile device. Most of what happens will still 
be done on the server side and it would be managed from the server's 
admin console.

Thoughts on the native app approaches:

1 is a non-optimal user experience with some trust/security issues, and 
already is going to be blocked by some social providers. But it requires 
the least amount of native code and most things still remain on the 
server side.

2 requires a lot more native code to be written and requires a lot more 
changes to keycloak on the server side. But it provides a much nicer 
user experience and would act the same way as current authentication 
providers do to applications. There is also less issues with social 
providers blocking access since we would be using the approved and 
recommended methods.

Any thoughts on this? I am still catching up on keycloak so some of my 
assumptions may be a bit off in a few areas.

- Matt Wringe

More information about the keycloak-dev mailing list