[keycloak-dev] redirects vs. javascript logins
Stian Thorgersen
stian at redhat.com
Fri Jul 26 08:58:20 EDT 2013
To my knowledge iframes are not, while popups are. Popups are ugly any ways, so iframes would be the better approach IMO. In either case there should be a fall-back to use redirect. If javascript+iframe is supported great, embed the login form in the site using an iframe (and a modal panel if wanted), if not then redirect the user.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 26 July, 2013 1:22:58 PM
> Subject: Re: [keycloak-dev] redirects vs. javascript logins
>
> Aren't iframe/popups usually disabled?
>
> On 7/26/2013 5:12 AM, Stian Thorgersen wrote:
> > We can still support a similar experience though. With the combination of
> > customizable forms and iframe/popup we can still allow developers to
> > integrate the forms into applications.
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "Bill Burke" <bburke at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Friday, 26 July, 2013 9:48:55 AM
> >> Subject: Re: [keycloak-dev] redirects vs. javascript logins
> >>
> >> Yes, I don't know why I missed that. As you say login and logout has to be
> >> done through redirects as long as HttpOnly is set on the cookie.
> >>
> >> EventJuggler simply links to the login page, but logout is a XHR and as
> >> you
> >> say that would have to be a redirect as well.
> >>
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke at redhat.com>
> >>> To: keycloak-dev at lists.jboss.org
> >>> Sent: Thursday, 25 July, 2013 5:57:56 PM
> >>> Subject: [keycloak-dev] redirects vs. javascript logins
> >>>
> >>> To do SSO, keycloak server sets a session cookie so that the user
> >>> doesn't have to relogin if the cookie is set. This will have issues
> >>> with the custom login, like the way the Event Juggler app works.
> >>> Correct me if I'm wrong, but for Event Juggler, the login page is hosted
> >>> at the Event Juggler website? And the app would do an HTTP invocation
> >>> to obtain the token, correct?
> >>>
> >>> The problem with this approach is that we wouldn't be able to set the
> >>> login session cookie as all cookies will be HttpOnly and not accessible
> >>> via javascript (due to security issues). So, SSO would not work, and
> >>> the user would have to relogin for each additional site they visited.
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list