[keycloak-dev] Automatically login user to application when logged into realm
Stian Thorgersen
stian at redhat.com
Wed Oct 23 15:58:04 EDT 2013
Yes I read your response and yes I have played with your demo.
Let's then revisit this with the demo in mind, and you can tell me where I'm mistaken.
I visit http://localhost:8080/customer-portal/. The urls '/admins/*' require the admin role and '/customers/*' requires the user role. If I click on a link taking me to any of these pages the adapter redirects me to the auth-server. In this case it works, as if I try to visit a private url I should be presented with a login form if I'm not already logged in. So there's no problem that the adapter automatically redirects me to the auth-server.
Now, imagine that this is an real application. Where the front-page would, if the user is not logged in, show "Login" and "Register" links, and would not show links to pages that an anonymous user is not allowed to access (for example 'Customer Listing'). If a user is logged in the application would not show 'Login' and 'Register' but instead show 'Hello User, welcome back' and would include links to pages that particular user is allowed to access (for example if the current user had the role user, but not admin, only the 'Customer Listing', not the 'Customer Admin Interface' link, would be displayed).
How would I be able to implement that behaviour with the current way Keycloak works?
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 23 October, 2013 8:18:32 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
>
> Did you even read my response? I completely mapped out the entire flow
> of how it works *now* in our demo and how it could work with a pure
> HTML5 app. Go play with the demo to understand things better maybe?
>
> You talkd about this before:
> > A company has an internal Keycloak server, they have a single realm
> with multiple internal applications. All applications are hosted on
> different servers. Let's imagine this company is called Red Hat. The
> user, let's call him Stian, first goes to the OrangeHRM to book some
> long overdue holiday. He's not currently logged in to the realm so is is
> shown an anonymous access screen instead with a login link. Stian
> presses login, fills in username and password and successfully logs in
> to the realm. Now Stian wants to go to docspace, again Stian has to
> press the Login link, but doesn't have to provide a username or
> password, but instead is simply redirected back to the application as a
> logged in user. Stian is actually a bit confused about this as he just
> logged in to an application without providing a username or password.
>
>
>
> What you describe is not how our demo works nor will it ever work that
> way. You log in once to the auth server, any app you visit knows who
> you are. There's no need to click a "login" button when you visit a new
> site. HTML5 app would work exactly the same way as any of the WARs in
> the Keycloak demo code except all the redirect and cookie processing
> would happen within Javascript within the browser. There's just no need
> for your extra "no-forms" invocation! The login check is already built
> into the protocol.
>
> http://www.tizag.com/javascriptT/javascriptredirect.php
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list