[keycloak-dev] Automatically login user to application when logged into realm
Stian Thorgersen
stian at redhat.com
Fri Oct 25 04:52:44 EDT 2013
OpenID connect has this option. This is a spec we should look at and seriously consider adding support for.
----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 24 October, 2013 4:16:44 PM
> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
>
>
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Thursday, 24 October, 2013 2:52:59 PM
> > Subject: Re: [keycloak-dev] Automatically login user to application when
> > logged into realm
> >
> > Yeah, I saw amazon example. I think your amazon example is different
> > because they don't have to worry about single sign on.
>
> Amazon has SSO with LoveFilm! Are you really still claiming that the use-case
> I have where an application wants to do single-sign-on and have pages that
> adapt to whether or not a user is logged in (instead of simply showing a
> login form) is not something people are going to want to do? That's
> certainly how I would like my web apps to work if I was writing them.
>
> >
> > The current keycloak application adapter build on top of servlet
> > security and only requires a valve and the keycloak configuration file
> > and it just works. The style you are talking about would have to bypass
> > servlet security entirely and require custom application code to work.
> > This is why I don't think it should be promoted as a preferred solution.
>
> No it doesn't. The front-page for an application could have the following JSP
> code:
>
> <%
> if(request.getUserPrincipal() != null) {
> %>
> <h2>Hello <%=request.getUserPrincipal%></h2>
> <% } else { <%
> <h2>Click here to <a href="...">login</a></h2>
> %>
>
> <ul class="menu">
> <li><a href="public/index.html">Some public page</a></li>
> <%
> if(request.getUserPrincipal() != null) {
> <li><a href="private/index.html">Some restricted page</a></li>
> }
> %>
>
> When opening the front-page the prompt=none would be used to login a user if
> the user is already logged in to the realm. If the user visits
> 'private/index.html' first, then it should result in the login form if the
> user is not already logged in, so in this case prompt=none wouldn't be used.
>
> >
> > The preferred solution should be a server-side driven authentication
> > with private client credentials for both javascript and old-school apps.
> > For Servlet environments, the constraints of servlet security should
> > be used to keep setup simple.
> >
> >
> > On 10/24/2013 9:00 AM, Stian Thorgersen wrote:
> > > Yes it goes through accounts.google.com. Google often have different
> > > regional behaviour though.
> > >
> > > Did you see the amazon example I wrote before? Did the same mistake of
> > > replying twice again :/
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: "Stian Thorgersen" <stian at redhat.com>
> > >> Cc: keycloak-dev at lists.jboss.org
> > >> Sent: Thursday, 24 October, 2013 1:56:29 PM
> > >> Subject: Re: [keycloak-dev] Automatically login user to application when
> > >> logged into realm
> > >>
> > >> Weird. Firefox 24 and IE 10 on Windows for me works the way I
> > >> described. What do the logged HTTP requests look like? Does it go
> > >> through accounts.google.com?
> > >>
> > >> On 10/24/2013 8:37 AM, Stian Thorgersen wrote:
> > >>> By the way that's not how gmail.com works for me. I just tried to open
> > >>> gmail.com in an incognito window and was redirected to
> > >>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login
> > >>> form.
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>> Cc: keycloak-dev at lists.jboss.org
> > >>>> Sent: Thursday, 24 October, 2013 1:13:40 PM
> > >>>> Subject: Re: [keycloak-dev] Automatically login user to application
> > >>>> when
> > >>>> logged into realm
> > >>>>
> > >>>> Not to drag this on, but take a look at how google does it.
> > >>>>
> > >>>> If you are not logged in, and you go to gmail.com, you are redirected
> > >>>> immediately to accounts.google.com and you must log in there. After
> > >>>> you
> > >>>> login you are redirected back to gmail.com.
> > >>>>
> > >>>> If you leave gmail.com and visit another website, then come back to
> > >>>> gmail.com, it does an immediate redirect to accounts.google.com which
> > >>>> then immediately redirects you back to gmail.
> > >>>>
> > >>>> So, I feel better. I'm not so old school... :). Google works pretty
> > >>>> much the same way the keycloak demo works. There is one difference
> > >>>> though that I i'm not sure if we should follow: I'm guessing that to
> > >>>> implement single sign off, Google will always redirect to
> > >>>> accounts.google.com to check to see if you're logged in when you visit
> > >>>> a
> > >>>> google page.
> > >>>>
> > >>>>
> > >>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
> > >>>>> No worries, it's one of those things that happens with trying to
> > >>>>> explain
> > >>>>> something over email/IRC.
> > >>>>>
> > >>>>> I think it should be an optional feature support by all adapters. For
> > >>>>> the
> > >>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json'
> > >>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request
> > >>>>> is
> > >>>>> to an unsecured resource it would redirect to
> > >>>>> 'auth/login?prompt=none'.
> > >>>>> I'm happy to add a proposal to the AS7 adapter if you'd like.
> > >>>>>
> > >>>>
> > >>>> I don't think this approach can work very well in old-school web apps,
> > >>>> if at all. For pure Servlet apps you're either accessing a secure
> > >>>> area
> > >>>> or you're not. A URL can't be both secure and unsecure at the same
> > >>>> time. Plus, if you have any kind of latency, a full browser redirect
> > >>>> just to check if you're logged in with the auth-server is going to be
> > >>>> pretty ugly.
> > >>>>
> > >>>> The application adapter *DOES* still need an amILoggedIn REST call.
> > >>>> By
> > >>>> default it should just return:
> > >>>>
> > >>>> {
> > >>>> "loggedIn" : true,
> > >>>> "user" : "wburke"
> > >>>> }
> > >>>>
> > >>>> If you set a flag in resteasy-oauth.json, it will also contain the
> > >>>> access token
> > >>>>
> > >>>> {
> > >>>> loggedIn : true,
> > >>>> "user" : "wburke",
> > >>>> "token" : "asdfasdfasdfqwerqwer"
> > >>>> }
> > >>>>
> > >>>> amILoggedIn would be authenticated by a http-only cookie.
> > >>>>
> > >>>>
> > >>>>> ----- Original Message -----
> > >>>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>> Cc: keycloak-dev at lists.jboss.org
> > >>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM
> > >>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
> > >>>>>> when
> > >>>>>> logged into realm
> > >>>>>>
> > >>>>>> I guess I see what you mean. You want to be able to show a
> > >>>>>> login/register links on the *application's* page and not just
> > >>>>>> redirect
> > >>>>>> immediately to the keycloak screens when you first visit the page.
> > >>>>>> I
> > >>>>>> guess I'm thinking too old school Java EE app that would
> > >>>>>> automatically
> > >>>>>> bring you to the login screen if you access secured content. I feel
> > >>>>>> like a dinosaur sometimes. Too bad I still have 20 year until I
> > >>>>>> retire.
> > >>>>>>
> > >>>>>> Apologies for wasting your time.
> > >>>>>>
> > >>>>>> Gonna have to figure out how to support this scenario for a
> > >>>>>> traditional
> > >>>>>> web app too.
> > >>>>>>
> > >>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
> > >>>>>>> Yes I read your response and yes I have played with your demo.
> > >>>>>>>
> > >>>>>>> Let's then revisit this with the demo in mind, and you can tell me
> > >>>>>>> where
> > >>>>>>> I'm mistaken.
> > >>>>>>>
> > >>>>>>> I visit http://localhost:8080/customer-portal/. The urls
> > >>>>>>> '/admins/*'
> > >>>>>>> require the admin role and '/customers/*' requires the user role.
> > >>>>>>> If
> > >>>>>>> I
> > >>>>>>> click on a link taking me to any of these pages the adapter
> > >>>>>>> redirects
> > >>>>>>> me
> > >>>>>>> to the auth-server. In this case it works, as if I try to visit a
> > >>>>>>> private
> > >>>>>>> url I should be presented with a login form if I'm not already
> > >>>>>>> logged
> > >>>>>>> in.
> > >>>>>>> So there's no problem that the adapter automatically redirects me
> > >>>>>>> to
> > >>>>>>> the
> > >>>>>>> auth-server.
> > >>>>>>>
> > >>>>>>> Now, imagine that this is an real application. Where the front-page
> > >>>>>>> would,
> > >>>>>>> if the user is not logged in, show "Login" and "Register" links,
> > >>>>>>> and
> > >>>>>>> would
> > >>>>>>> not show links to pages that an anonymous user is not allowed to
> > >>>>>>> access
> > >>>>>>> (for example 'Customer Listing'). If a user is logged in the
> > >>>>>>> application
> > >>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User,
> > >>>>>>> welcome back' and would include links to pages that particular user
> > >>>>>>> is
> > >>>>>>> allowed to access (for example if the current user had the role
> > >>>>>>> user,
> > >>>>>>> but
> > >>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin
> > >>>>>>> Interface'
> > >>>>>>> link, would be displayed).
> > >>>>>>>
> > >>>>>>> How would I be able to implement that behaviour with the current
> > >>>>>>> way
> > >>>>>>> Keycloak works?
> > >>>>>>>
> > >>>>>>> ----- Original Message -----
> > >>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>>> Cc: keycloak-dev at lists.jboss.org
> > >>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
> > >>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to
> > >>>>>>>> application
> > >>>>>>>> when
> > >>>>>>>> logged into realm
> > >>>>>>>>
> > >>>>>>>> Did you even read my response? I completely mapped out the entire
> > >>>>>>>> flow
> > >>>>>>>> of how it works *now* in our demo and how it could work with a
> > >>>>>>>> pure
> > >>>>>>>> HTML5 app. Go play with the demo to understand things better
> > >>>>>>>> maybe?
> > >>>>>>>>
> > >>>>>>>> You talkd about this before:
> > >>>>>>>> > A company has an internal Keycloak server, they have a
> > >>>>>>>> > single
> > >>>>>>>> > realm
> > >>>>>>>> with multiple internal applications. All applications are hosted
> > >>>>>>>> on
> > >>>>>>>> different servers. Let's imagine this company is called Red Hat.
> > >>>>>>>> The
> > >>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book
> > >>>>>>>> some
> > >>>>>>>> long overdue holiday. He's not currently logged in to the realm so
> > >>>>>>>> is
> > >>>>>>>> is
> > >>>>>>>> shown an anonymous access screen instead with a login link. Stian
> > >>>>>>>> presses login, fills in username and password and successfully
> > >>>>>>>> logs
> > >>>>>>>> in
> > >>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has
> > >>>>>>>> to
> > >>>>>>>> press the Login link, but doesn't have to provide a username or
> > >>>>>>>> password, but instead is simply redirected back to the application
> > >>>>>>>> as
> > >>>>>>>> a
> > >>>>>>>> logged in user. Stian is actually a bit confused about this as he
> > >>>>>>>> just
> > >>>>>>>> logged in to an application without providing a username or
> > >>>>>>>> password.
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> What you describe is not how our demo works nor will it ever work
> > >>>>>>>> that
> > >>>>>>>> way. You log in once to the auth server, any app you visit knows
> > >>>>>>>> who
> > >>>>>>>> you are. There's no need to click a "login" button when you visit
> > >>>>>>>> a
> > >>>>>>>> new
> > >>>>>>>> site. HTML5 app would work exactly the same way as any of the
> > >>>>>>>> WARs
> > >>>>>>>> in
> > >>>>>>>> the Keycloak demo code except all the redirect and cookie
> > >>>>>>>> processing
> > >>>>>>>> would happen within Javascript within the browser. There's just no
> > >>>>>>>> need
> > >>>>>>>> for your extra "no-forms" invocation! The login check is already
> > >>>>>>>> built
> > >>>>>>>> into the protocol.
> > >>>>>>>>
> > >>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Bill Burke
> > >>>>>>>> JBoss, a division of Red Hat
> > >>>>>>>> http://bill.burkecentral.com
> > >>>>>>>>
> > >>>>>>
> > >>>>>> --
> > >>>>>> Bill Burke
> > >>>>>> JBoss, a division of Red Hat
> > >>>>>> http://bill.burkecentral.com
> > >>>>>>
> > >>>>
> > >>>> --
> > >>>> Bill Burke
> > >>>> JBoss, a division of Red Hat
> > >>>> http://bill.burkecentral.com
> > >>>>
> > >>
> > >> --
> > >> Bill Burke
> > >> JBoss, a division of Red Hat
> > >> http://bill.burkecentral.com
> > >>
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list