[keycloak-dev] Automatically login user to application when logged into realm

Bill Burke bburke at redhat.com
Fri Oct 25 09:39:39 EDT 2013 

FWIW, Amazon does not have SSO.  It has shared credentials, but not SSO. 
  Tried it out on audible.com and amazon.  Lovefilm doesn't even 
recognize my amazon account.

Also GMAIL redirects automatically to an unprotected login page.  My 
bank, brokerage, redirects automatically to an unprotected login or 
front page where I can log in.  So, I know you think its absurd, but 
pretty much any site where security is even remotely important, an 
automatic redirect happens to an unprotected page.   A better example 
would have been a news article or forum where you can read articles and 
comments but can't post comments until you log in.

So in summary:
* I'm not against no-forms call.  I even said so, 2-3 emails ago.
* After reviewing the jboss web adapter, a "login-check" could be done 
by the adapter.  You just won't be able to have a page that can be both 
protected or unprotected.
* I'm wary of the keycloak.js approach as it requires public application 
credentials which opens up keycloak for additional attacks.  Read the 
OAuth spec for more details.  I'm not sure how realistic some of the 
attacks are, but they do exist.

I"ll have to review, but I'm not sure OpenID fits with the goals of 
Keycloak.  OAuth is about granting access while OpenID is about 
establishing the identity of the user.

On 10/25/2013 4:52 AM, Stian Thorgersen wrote:
> OpenID connect has this option. This is a spec we should look at and seriously consider adding support for.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 24 October, 2013 4:16:44 PM
>> Subject: Re: [keycloak-dev] Automatically login user to application when logged into realm
>>
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Thursday, 24 October, 2013 2:52:59 PM
>>> Subject: Re: [keycloak-dev] Automatically login user to application when
>>> logged into realm
>>>
>>> Yeah, I saw amazon example.  I think your amazon example is different
>>> because they don't have to worry about single sign on.
>>
>> Amazon has SSO with LoveFilm! Are you really still claiming that the use-case
>> I have where an application wants to do single-sign-on and have pages that
>> adapt to whether or not a user is logged in (instead of simply showing a
>> login form) is not something people are going to want to do? That's
>> certainly how I would like my web apps to work if I was writing them.
>>
>>>
>>> The current keycloak application adapter build on top of servlet
>>> security and only requires a valve and the keycloak configuration file
>>> and it just works.  The style you are talking about would have to bypass
>>> servlet security entirely and require custom application code to work.
>>> This is why I don't think it should be promoted as a preferred solution.
>>
>> No it doesn't. The front-page for an application could have the following JSP
>> code:
>>
>> <%
>> if(request.getUserPrincipal() != null) {
>> %>
>>    <h2>Hello <%=request.getUserPrincipal%></h2>
>> <% } else { <%
>>    <h2>Click here to <a href="...">login</a></h2>
>> %>
>>
>> <ul class="menu">
>> <li><a href="public/index.html">Some public page</a></li>
>> <%
>> if(request.getUserPrincipal() != null) {
>>    <li><a href="private/index.html">Some restricted page</a></li>
>> }
>> %>
>>
>> When opening the front-page the prompt=none would be used to login a user if
>> the user is already logged in to the realm. If the user visits
>> 'private/index.html' first, then it should result in the login form if the
>> user is not already logged in, so in this case prompt=none wouldn't be used.
>>
>>>
>>> The preferred solution should be a server-side driven authentication
>>> with private client credentials for both javascript and old-school apps.
>>>    For Servlet environments, the constraints of servlet security should
>>> be used to keep setup simple.
>>>
>>>
>>> On 10/24/2013 9:00 AM, Stian Thorgersen wrote:
>>>> Yes it goes through accounts.google.com. Google often have different
>>>> regional behaviour though.
>>>>
>>>> Did you see the amazon example I wrote before? Did the same mistake of
>>>> replying twice again :/
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>> Sent: Thursday, 24 October, 2013 1:56:29 PM
>>>>> Subject: Re: [keycloak-dev] Automatically login user to application when
>>>>> logged into realm
>>>>>
>>>>> Weird.  Firefox 24 and IE 10 on Windows for me works the way I
>>>>> described.  What do the logged HTTP requests look like?  Does it go
>>>>> through accounts.google.com?
>>>>>
>>>>> On 10/24/2013 8:37 AM, Stian Thorgersen wrote:
>>>>>> By the way that's not how gmail.com works for me. I just tried to open
>>>>>> gmail.com in an incognito window and was redirected to
>>>>>> https://mail.google.com/intl/en-GB/mail/help/about.html, not a login
>>>>>> form.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>> Sent: Thursday, 24 October, 2013 1:13:40 PM
>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
>>>>>>> when
>>>>>>> logged into realm
>>>>>>>
>>>>>>> Not to drag this on, but take a look at how google does it.
>>>>>>>
>>>>>>> If you are not logged in, and you go to gmail.com, you are redirected
>>>>>>> immediately to accounts.google.com and you must log in there.  After
>>>>>>> you
>>>>>>> login you are redirected back to gmail.com.
>>>>>>>
>>>>>>> If you leave gmail.com and visit another website, then come back to
>>>>>>> gmail.com, it does an immediate redirect to accounts.google.com which
>>>>>>> then immediately redirects you back to gmail.
>>>>>>>
>>>>>>> So, I feel better.  I'm not so old school... :). Google works pretty
>>>>>>> much the same way the keycloak demo works.  There is one difference
>>>>>>> though that I i'm not sure if we should follow:  I'm guessing that to
>>>>>>> implement single sign off, Google will always redirect to
>>>>>>> accounts.google.com to check to see if you're logged in when you visit
>>>>>>> a
>>>>>>> google page.
>>>>>>>
>>>>>>>
>>>>>>> On 10/24/2013 5:17 AM, Stian Thorgersen wrote:
>>>>>>>> No worries, it's one of those things that happens with trying to
>>>>>>>> explain
>>>>>>>> something over email/IRC.
>>>>>>>>
>>>>>>>> I think it should be an optional feature support by all adapters. For
>>>>>>>> the
>>>>>>>> AS7 adapter I was thinking you'd specify it in 'resteasy-oauth.json'
>>>>>>>> ({..., 'auto-login' : true }?). If it's enabled and the first request
>>>>>>>> is
>>>>>>>> to an unsecured resource it would redirect to
>>>>>>>> 'auth/login?prompt=none'.
>>>>>>>> I'm happy to add a proposal to the AS7 adapter if you'd like.
>>>>>>>>
>>>>>>>
>>>>>>> I don't think this approach can work very well in old-school web apps,
>>>>>>> if at all.  For pure Servlet apps you're either accessing a secure
>>>>>>> area
>>>>>>> or you're not.  A URL can't be both secure and unsecure at the same
>>>>>>> time.  Plus, if you have any kind of latency, a full browser redirect
>>>>>>> just to check if you're logged in with the auth-server is going to be
>>>>>>> pretty ugly.
>>>>>>>
>>>>>>> The application adapter *DOES* still need an amILoggedIn REST call.
>>>>>>> By
>>>>>>> default it should just return:
>>>>>>>
>>>>>>> {
>>>>>>>        "loggedIn" : true,
>>>>>>>        "user" : "wburke"
>>>>>>> }
>>>>>>>
>>>>>>> If you set a flag in resteasy-oauth.json, it will also contain the
>>>>>>> access token
>>>>>>>
>>>>>>> {
>>>>>>>        loggedIn : true,
>>>>>>>        "user" : "wburke",
>>>>>>>        "token" : "asdfasdfasdfqwerqwer"
>>>>>>> }
>>>>>>>
>>>>>>> amILoggedIn would be authenticated by a http-only cookie.
>>>>>>>
>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>>>> Sent: Wednesday, 23 October, 2013 10:01:41 PM
>>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to application
>>>>>>>>> when
>>>>>>>>> logged into realm
>>>>>>>>>
>>>>>>>>> I guess I see what you mean.  You want to be able to show a
>>>>>>>>> login/register links on the *application's* page and not just
>>>>>>>>> redirect
>>>>>>>>> immediately to the keycloak screens when you first visit the page.
>>>>>>>>> I
>>>>>>>>> guess I'm thinking too old school Java EE app that would
>>>>>>>>> automatically
>>>>>>>>> bring you to the login screen if you access secured content.  I feel
>>>>>>>>> like a dinosaur sometimes.  Too bad I still have 20 year until I
>>>>>>>>> retire.
>>>>>>>>>
>>>>>>>>> Apologies for wasting your time.
>>>>>>>>>
>>>>>>>>> Gonna have to figure out how to support this scenario for a
>>>>>>>>> traditional
>>>>>>>>> web app too.
>>>>>>>>>
>>>>>>>>> On 10/23/2013 3:58 PM, Stian Thorgersen wrote:
>>>>>>>>>> Yes I read your response and yes I have played with your demo.
>>>>>>>>>>
>>>>>>>>>> Let's then revisit this with the demo in mind, and you can tell me
>>>>>>>>>> where
>>>>>>>>>> I'm mistaken.
>>>>>>>>>>
>>>>>>>>>> I visit http://localhost:8080/customer-portal/. The urls
>>>>>>>>>> '/admins/*'
>>>>>>>>>> require the admin role and '/customers/*' requires the user role.
>>>>>>>>>> If
>>>>>>>>>> I
>>>>>>>>>> click on a link taking me to any of these pages the adapter
>>>>>>>>>> redirects
>>>>>>>>>> me
>>>>>>>>>> to the auth-server. In this case it works, as if I try to visit a
>>>>>>>>>> private
>>>>>>>>>> url I should be presented with a login form if I'm not already
>>>>>>>>>> logged
>>>>>>>>>> in.
>>>>>>>>>> So there's no problem that the adapter automatically redirects me
>>>>>>>>>> to
>>>>>>>>>> the
>>>>>>>>>> auth-server.
>>>>>>>>>>
>>>>>>>>>> Now, imagine that this is an real application. Where the front-page
>>>>>>>>>> would,
>>>>>>>>>> if the user is not logged in, show "Login" and "Register" links,
>>>>>>>>>> and
>>>>>>>>>> would
>>>>>>>>>> not show links to pages that an anonymous user is not allowed to
>>>>>>>>>> access
>>>>>>>>>> (for example 'Customer Listing'). If a user is logged in the
>>>>>>>>>> application
>>>>>>>>>> would not show 'Login' and 'Register' but instead show 'Hello User,
>>>>>>>>>> welcome back' and would include links to pages that particular user
>>>>>>>>>> is
>>>>>>>>>> allowed to access (for example if the current user had the role
>>>>>>>>>> user,
>>>>>>>>>> but
>>>>>>>>>> not admin, only the 'Customer Listing', not the 'Customer Admin
>>>>>>>>>> Interface'
>>>>>>>>>> link, would be displayed).
>>>>>>>>>>
>>>>>>>>>> How would I be able to implement that behaviour with the current
>>>>>>>>>> way
>>>>>>>>>> Keycloak works?
>>>>>>>>>>
>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>>>>>> Sent: Wednesday, 23 October, 2013 8:18:32 PM
>>>>>>>>>>> Subject: Re: [keycloak-dev] Automatically login user to
>>>>>>>>>>> application
>>>>>>>>>>> when
>>>>>>>>>>> logged into realm
>>>>>>>>>>>
>>>>>>>>>>> Did you even read my response?  I completely mapped out the entire
>>>>>>>>>>> flow
>>>>>>>>>>> of how it works *now* in our demo and how it could work with a
>>>>>>>>>>> pure
>>>>>>>>>>> HTML5 app.  Go play with the demo to understand things better
>>>>>>>>>>> maybe?
>>>>>>>>>>>
>>>>>>>>>>> You talkd about this before:
>>>>>>>>>>>       > A company has an internal Keycloak server, they have a
>>>>>>>>>>>       > single
>>>>>>>>>>>       > realm
>>>>>>>>>>> with multiple internal applications. All applications are hosted
>>>>>>>>>>> on
>>>>>>>>>>> different servers. Let's imagine this company is called Red Hat.
>>>>>>>>>>> The
>>>>>>>>>>> user, let's call him Stian, first goes to the OrangeHRM to book
>>>>>>>>>>> some
>>>>>>>>>>> long overdue holiday. He's not currently logged in to the realm so
>>>>>>>>>>> is
>>>>>>>>>>> is
>>>>>>>>>>> shown an anonymous access screen instead with a login link. Stian
>>>>>>>>>>> presses login, fills in username and password and successfully
>>>>>>>>>>> logs
>>>>>>>>>>> in
>>>>>>>>>>> to the realm. Now Stian wants to go to docspace, again Stian has
>>>>>>>>>>> to
>>>>>>>>>>> press the Login link, but doesn't have to provide a username or
>>>>>>>>>>> password, but instead is simply redirected back to the application
>>>>>>>>>>> as
>>>>>>>>>>> a
>>>>>>>>>>> logged in user. Stian is actually a bit confused about this as he
>>>>>>>>>>> just
>>>>>>>>>>> logged in to an application without providing a username or
>>>>>>>>>>> password.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> What you describe is not how our demo works nor will it ever work
>>>>>>>>>>> that
>>>>>>>>>>> way.  You log in once to the auth server, any app you visit knows
>>>>>>>>>>> who
>>>>>>>>>>> you are.  There's no need to click a "login" button when you visit
>>>>>>>>>>> a
>>>>>>>>>>> new
>>>>>>>>>>> site.  HTML5 app would work exactly the same way as any of the
>>>>>>>>>>> WARs
>>>>>>>>>>> in
>>>>>>>>>>> the Keycloak demo code except all the redirect and cookie
>>>>>>>>>>> processing
>>>>>>>>>>> would happen within Javascript within the browser. There's just no
>>>>>>>>>>> need
>>>>>>>>>>> for your extra "no-forms" invocation!  The login check is already
>>>>>>>>>>> built
>>>>>>>>>>> into the protocol.
>>>>>>>>>>>
>>>>>>>>>>> http://www.tizag.com/javascriptT/javascriptredirect.php
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Bill Burke
>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>> http://bill.burkecentral.com
>>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Bill Burke
>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>> http://bill.burkecentral.com
>>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hat
>>>>>>> http://bill.burkecentral.com
>>>>>>>
>>>>>
>>>>> --
>>>>> Bill Burke
>>>>> JBoss, a division of Red Hat
>>>>> http://bill.burkecentral.com
>>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list