[keycloak-dev] Automatically login user to application when logged into realm

Stian Thorgersen stian at redhat.com
Thu Oct 24 09:00:13 EDT 2013


Yes it goes through accounts.google.com. Google often have different regional behaviour though.

Did you see the amazon example I wrote before? Did the same mistake of replying twice again :/

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 24 October, 2013 1:56:29 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
> 
> Weird.  Firefox 24 and IE 10 on Windows for me works the way I
> described.  What do the logged HTTP requests look like?  Does it go
> through accounts.google.com?
> 
> On 10/24/2013 8:37 AM, Stian Thorgersen wrote:
> > By the way that's not how gmail.com works for me. I just tried to open
> > gmail.com in an incognito window and was redirected to
> > https://mail.google.com/intl/en-GB/mail/help/about.html, not a login form.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 24 October, 2013 1:13:40 PM
> >> Subject: Re: [keycloak-dev] Automatically login user to application when
> >> logged into realm
> >>
> >> Not to drag this on, but take a look at how google does it.
> >>
> >> If you are not logged in, and you go to gmail.com, you are redirected
> >> immediately to accounts.google.com and you must log in there.  After you
> >> login you are redirected back to gmail.com.
> >>
> >> If you leave gmail.com and visit another website, then come back to
> >> gmail.com, it does an immediate redirect to accounts.google.com which
> >> then immediately redirects you back to gmail.
> >>
> >> So, I feel better.  I'm not so old school... :). Google works pretty
> >> much the same way the keycloak demo works.  There is one difference
> >> though that I i'm not sure if we should follow:  I'm guessing that to
> >> implement single sign off, Google will always redirect to
> >> accounts.google.com to check to see if you're logged in when you visit a
> >> google page.
> >>
> >>
> >> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
> >>> No worries, it's one of those things that happens with trying to explain
> >>> something over email/IRC.
> >>>
> >>> I think it should be an optional feature support by all adapters. For the
> >>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json'
> >>> ({..., 'auto-login' : true }?). If it's enabled and the first request is
> >>> to an unsecured resource it would redirect to 'auth/login?prompt=none'.
> >>> I'm happy to add a proposal to the AS7 adapter if you'd like.
> >>>
> >>
> >> I don't think this approach can work very well in old-school web apps,
> >> if at all.  For pure Servlet apps you're either accessing a secure area
> >> or you're not.  A URL can't be both secure and unsecure at the same
> >> time.  Plus, if you have any kind of latency, a full browser redirect
> >> just to check if you're logged in with the auth-server is going to be
> >> pretty ugly.
> >>
> >> The application adapter *DOES* still need an amILoggedIn REST call.  By
> >> default it should just return:
> >>
> >> {
> >>      "loggedIn" : true,
> >>      "user" : "wburke"
> >> }
> >>
> >> If you set a flag in resteasy-oauth.json, it will also contain the
> >> access token
> >>
> >> {
> >>      loggedIn : true,
> >>      "user" : "wburke",
> >>      "token" : "asdfasdfasdfqwerqwer"
> >> }
> >>
> >> amILoggedIn would be authenticated by a http-only cookie.
> >>
> >>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>> Cc: keycloak-dev at lists.jboss.org
> >>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM
> >>>> Subject: Re: [keycloak-dev] Automatically login user to application when
> >>>> logged into realm
> >>>>
> >>>> I guess I see what you mean.  You want to be able to show a
> >>>> login/register links on the *application's* page and not just redirect
> >>>> immediately to the keycloak screens when you first visit the page.  I
> >>>> guess I'm thinking too old school Java EE app that would automatically
> >>>> bring you to the login screen if you access secured content.  I feel
> >>>> like a dinosaur sometimes.  Too bad I still have 20 year until I retire.
> >>>>
> >>>> Apologies for wasting your time.
> >>>>
> >>>> Gonna have to figure out how to support this scenario for a traditional
> >>>> web app too.
> >>>>
> >>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
> >>>>> Yes I read your response and yes I have played with your demo.
> >>>>>
> >>>>> Let's then revisit this with the demo in mind, and you can tell me
> >>>>> where
> >>>>> I'm mistaken.
> >>>>>
> >>>>> I visit http://localhost:8080/customer-portal/. The urls '/admins/*'
> >>>>> require the admin role and '/customers/*' requires the user role. If I
> >>>>> click on a link taking me to any of these pages the adapter redirects
> >>>>> me
> >>>>> to the auth-server. In this case it works, as if I try to visit a
> >>>>> private
> >>>>> url I should be presented with a login form if I'm not already logged
> >>>>> in.
> >>>>> So there's no problem that the adapter automatically redirects me to
> >>>>> the
> >>>>> auth-server.
> >>>>>
> >>>>> Now, imagine that this is an real application. Where the front-page
> >>>>> would,
> >>>>> if the user is not logged in, show "Login" and "Register" links, and
> >>>>> would
> >>>>> not show links to pages that an anonymous user is not allowed to access
> >>>>> (for example 'Customer Listing'). If a user is logged in the
> >>>>> application
> >>>>> would not show 'Login' and 'Register' but instead show 'Hello User,
> >>>>> welcome back' and would include links to pages that particular user is
> >>>>> allowed to access (for example if the current user had the role user,
> >>>>> but
> >>>>> not admin, only the 'Customer Listing', not the 'Customer Admin
> >>>>> Interface'
> >>>>> link, would be displayed).
> >>>>>
> >>>>> How would I be able to implement that behaviour with the current way
> >>>>> Keycloak works?
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
> >>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
> >>>>>> when
> >>>>>> logged into realm
> >>>>>>
> >>>>>> Did you even read my response?  I completely mapped out the entire
> >>>>>> flow
> >>>>>> of how it works *now* in our demo and how it could work with a pure
> >>>>>> HTML5 app.  Go play with the demo to understand things better maybe?
> >>>>>>
> >>>>>> You talkd about this before:
> >>>>>>     > A company has an internal Keycloak server, they have a single
> >>>>>>     > realm
> >>>>>> with multiple internal applications. All applications are hosted on
> >>>>>> different servers. Let's imagine this company is called Red Hat. The
> >>>>>> user, let's call him Stian, first goes to the OrangeHRM to book some
> >>>>>> long overdue holiday. He's not currently logged in to the realm so is
> >>>>>> is
> >>>>>> shown an anonymous access screen instead with a login link. Stian
> >>>>>> presses login, fills in username and password and successfully logs in
> >>>>>> to the realm. Now Stian wants to go to docspace, again Stian has to
> >>>>>> press the Login link, but doesn't have to provide a username or
> >>>>>> password, but instead is simply redirected back to the application as
> >>>>>> a
> >>>>>> logged in user. Stian is actually a bit confused about this as he just
> >>>>>> logged in to an application without providing a username or password.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> What you describe is not how our demo works nor will it ever work that
> >>>>>> way.  You log in once to the auth server, any app you visit knows who
> >>>>>> you are.  There's no need to click a "login" button when you visit a
> >>>>>> new
> >>>>>> site.  HTML5 app would work exactly the same way as any of the WARs in
> >>>>>> the Keycloak demo code except all the redirect and cookie processing
> >>>>>> would happen within Javascript within the browser. There's just no
> >>>>>> need
> >>>>>> for your extra "no-forms" invocation!  The login check is already
> >>>>>> built
> >>>>>> into the protocol.
> >>>>>>
> >>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php
> >>>>>>
> >>>>>> --
> >>>>>> Bill Burke
> >>>>>> JBoss, a division of Red Hat
> >>>>>> http://bill.burkecentral.com
> >>>>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>>
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list