[keycloak-dev] Automatically login user to application when logged into realm

Stian Thorgersen stian at redhat.com
Thu Oct 24 08:37:45 EDT 2013 

By the way that's not how gmail.com works for me. I just tried to open gmail.com in an incognito window and was redirected to https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 24 October, 2013 1:13:40 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
> 
> Not to drag this on, but take a look at how google does it.
> 
> If you are not logged in, and you go to gmail.com, you are redirected
> immediately to accounts.google.com and you must log in there.  After you
> login you are redirected back to gmail.com.
> 
> If you leave gmail.com and visit another website, then come back to
> gmail.com, it does an immediate redirect to accounts.google.com which
> then immediately redirects you back to gmail.
> 
> So, I feel better.  I'm not so old school... :). Google works pretty
> much the same way the keycloak demo works.  There is one difference
> though that I i'm not sure if we should follow:  I'm guessing that to
> implement single sign off, Google will always redirect to
> accounts.google.com to check to see if you're logged in when you visit a
> google page.
> 
> 
> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
> > No worries, it's one of those things that happens with trying to explain
> > something over email/IRC.
> >
> > I think it should be an optional feature support by all adapters. For the
> > AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json'
> > ({..., 'auto-login' : true }?). If it's enabled and the first request is
> > to an unsecured resource it would redirect to 'auth/login?prompt=none'.
> > I'm happy to add a proposal to the AS7 adapter if you'd like.
> >
> 
> I don't think this approach can work very well in old-school web apps,
> if at all.  For pure Servlet apps you're either accessing a secure area
> or you're not.  A URL can't be both secure and unsecure at the same
> time.  Plus, if you have any kind of latency, a full browser redirect
> just to check if you're logged in with the auth-server is going to be
> pretty ugly.
> 
> The application adapter *DOES* still need an amILoggedIn REST call.  By
> default it should just return:
> 
> {
>     "loggedIn" : true,
>     "user" : "wburke"
> }
> 
> If you set a flag in resteasy-oauth.json, it will also contain the
> access token
> 
> {
>     loggedIn : true,
>     "user" : "wburke",
>     "token" : "asdfasdfasdfqwerqwer"
> }
> 
> amILoggedIn would be authenticated by a http-only cookie.
> 
> 
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Wednesday, 23 October, 2013 10:01:41 PM
> >> Subject: Re: [keycloak-dev] Automatically login user to application when
> >> logged into realm
> >>
> >> I guess I see what you mean.  You want to be able to show a
> >> login/register links on the *application's* page and not just redirect
> >> immediately to the keycloak screens when you first visit the page.  I
> >> guess I'm thinking too old school Java EE app that would automatically
> >> bring you to the login screen if you access secured content.  I feel
> >> like a dinosaur sometimes.  Too bad I still have 20 year until I retire.
> >>
> >> Apologies for wasting your time.
> >>
> >> Gonna have to figure out how to support this scenario for a traditional
> >> web app too.
> >>
> >> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
> >>> Yes I read your response and yes I have played with your demo.
> >>>
> >>> Let's then revisit this with the demo in mind, and you can tell me where
> >>> I'm mistaken.
> >>>
> >>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*'
> >>> require the admin role and '/customers/*' requires the user role. If I
> >>> click on a link taking me to any of these pages the adapter redirects me
> >>> to the auth-server. In this case it works, as if I try to visit a private
> >>> url I should be presented with a login form if I'm not already logged in.
> >>> So there's no problem that the adapter automatically redirects me to the
> >>> auth-server.
> >>>
> >>> Now, imagine that this is an real application. Where the front-page
> >>> would,
> >>> if the user is not logged in, show "Login" and "Register" links, and
> >>> would
> >>> not show links to pages that an anonymous user is not allowed to access
> >>> (for example 'Customer Listing'). If a user is logged in the application
> >>> would not show 'Login' and 'Register' but instead show 'Hello User,
> >>> welcome back' and would include links to pages that particular user is
> >>> allowed to access (for example if the current user had the role user, but
> >>> not admin, only the 'Customer Listing', not the 'Customer Admin
> >>> Interface'
> >>> link, would be displayed).
> >>>
> >>> How would I be able to implement that behaviour with the current way
> >>> Keycloak works?
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-dev at lists.jboss.org
> >>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
> >>>> Subject: Re: [keycloak-dev] Automatically login user to application when
> >>>> logged into realm
> >>>>
> >>>> Did you even read my response?  I completely mapped out the entire flow
> >>>> of how it works *now* in our demo and how it could work with a pure
> >>>> HTML5 app.  Go play with the demo to understand things better maybe?
> >>>>
> >>>> You talkd about this before:
> >>>>    > A company has an internal Keycloak server, they have a single realm
> >>>> with multiple internal applications. All applications are hosted on
> >>>> different servers. Let's imagine this company is called Red Hat. The
> >>>> user, let's call him Stian, first goes to the OrangeHRM to book some
> >>>> long overdue holiday. He's not currently logged in to the realm so is is
> >>>> shown an anonymous access screen instead with a login link. Stian
> >>>> presses login, fills in username and password and successfully logs in
> >>>> to the realm. Now Stian wants to go to docspace, again Stian has to
> >>>> press the Login link, but doesn't have to provide a username or
> >>>> password, but instead is simply redirected back to the application as a
> >>>> logged in user. Stian is actually a bit confused about this as he just
> >>>> logged in to an application without providing a username or password.
> >>>>
> >>>>
> >>>>
> >>>> What you describe is not how our demo works nor will it ever work that
> >>>> way.  You log in once to the auth server, any app you visit knows who
> >>>> you are.  There's no need to click a "login" button when you visit a new
> >>>> site.  HTML5 app would work exactly the same way as any of the WARs in
> >>>> the Keycloak demo code except all the redirect and cookie processing
> >>>> would happen within Javascript within the browser. There's just no need
> >>>> for your extra "no-forms" invocation!  The login check is already built
> >>>> into the protocol.
> >>>>
> >>>> http://www.tizag.com/javascriptT/javascriptredirect.php
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list