[keycloak-dev] Automatically login user to application when logged into realm

Bill Burke bburke at redhat.com
Tue Oct 22 12:16:42 EDT 2013


Ok, makes sense.

Since this keycloak.js approach requires public client/application 
credentials we're going to have to review the attack vectors and code in 
fixes or recommendations as appropriate.

I also still think the current server-side approach is far superior for 
browser apps and should be the recommended approach.  As it is, you 
can't get around having server-side adapters, as they must at least be 
set up to handle bearer token authentication for secure REST invocations.

On 10/22/2013 11:47 AM, Stian Thorgersen wrote:
> Right,
>
> Imagine this scenario:
>
> An application (this can be a JSF or JS, or whatever) has a menu-bar that has options that should only be shown to certain users, it also displays the username of the logged-in user. A user that is not logged in to the SSO realm visits the application. The user then clicks on Login and is redirected to the login form on the Keycloak server. The user logs in and is redirected back to the application and can now see additional entries in the menu.
>
> Later another user that is already logged in to the SSO realm visits the same application. The application can't automatically log this user in, as that would require automatically redirecting the user to the login form on the Keycloak server. This would be fine for this user as the user is already logged-in. However, that would break the previous case where a user visited the application without being logged in to the SSO realm.
>
> Now, if there was an option to retrieve an access code (the proposal I've commited) without showing the login form you could solve both cases. The application can automatically log the user in to the application if already logged in to the SSO realm, and wouldn't end up showing the login form if the user was not logged in (instead the user would be redirected back to the application without being logged in, and able to click on Login when he/she chooses to).
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 22 October, 2013 4:35:51 PM
>> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
>>
>>
>> On 10/22/2013 11:22 AM, Stian Thorgersen wrote:
>>> Let's see if I can manage to explain this properly.
>>>
>>> The flow is:
>>>
>>> 1. Application redirects to '../auth/request/login'
>>> 1.1. If user is not logged in to realm display login form
>>> 1.2. If application is not a KEYCLOAK_APPLICATION and doesn't already have
>>> grants display oauth grant page
>>> 2. If successful redirect to application with authorization code
>>> 3. Application retrieves access token from '../access/codes'
>>>
>>> With the current flow there is no way for an application to check if a user
>>> is already logged-in to the realm (+ grants given). So the only options
>>> would be to either:
>>>
>>
>> I don't get why the application needs to check if the user is already
>> logged in.  Just start the oauth flow by redirecting to the auth-server.
>>    If the user is already logged in, then, keycloak *already* will create
>> an access code and redirect back to the redirect URL immediately.
>
>
>
>>
>> I do not think you approach is correct at the moment..  IMO, what you
>> have to do is create a Javascript Application Adapter that can run in
>> the browser.  It would work exactly like the JBoss Application adapter
>> except it would run within the browser.
>>
>> ALl in all, IMO, you're still better off doing this flow on the server
>> side like the examples do.  It is more secure as it doesn't require
>> public client/application credentials.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list