[keycloak-dev] Login with Access Token

Wed Dec 3 05:04:05 EST 2014

I was thinking of something like the following as a workaround

1. Create a hidden iframe in a webview that navigates to the login page of
the keycloak server.
2. Extract the state from the link of the Facebook login
3. Start the login with the native SDK
4. On success navigate in the iframe to the social callback
5. Use some keycloak token to act as the logged in user

Regarding 4. I am not sure what URL I should invoke exactly. I guess I have
to append the state parameter to it, but I couldn't find out exactly and I
haven't debugged that far yet.
Regarding 5. I don't know how to retrieve that keycloak token from the
iframe, but I hope there is a way.

For this to work I will probably have to add some CORS http headers that
will allow localhost so that the app can access the iframe. Although this
makes it vulnerable, since every localhost app could then "steal" the
keycloak token, it would do the job for now.

What do you think? Could that work?

2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian at redhat.com>:

> Keycloak generates a special state parameter. It consists of two parts, a
> signature and an id. The id is used to lookup a session in Keycloak, while
> the signature is then used to verify that specific request is valid (a
> session can only be used for one thing at a time, for example a social
> login). By design there's no way you can generate this yourself unless you
> have access to the Keycloak database.
>
> ----- Original Message -----
> > From: "Christian Beikov" <christian.beikov at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>, keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 3 December, 2014 9:33:20 AM
> > Subject: Re: [keycloak-dev] Login with Access Token
> >
> > I am wondering how you do that. I know that there is a state parameter
> that
> > is added to the facebook login url, but I could just make an initial
> > request to keycloak to copy that, or did I understand something wrong?
> >
> > 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> >
> > > It's code that is currently changing as we're working on adding
> enterprise
> > > IdP's as well as social IdP's we have at the moment.
> > >
> > > I think the correct approach would be to use the direct grant api,
> which
> > > currently lets you exchange a username + password for a Keycloak
> token, we
> > > could add an option here to pass in a token from an external IdP to
> > > exchange for a internal Keycloak token. If you're interested in
> looking at
> > > the code look at OpenIDConnectService.grantAccessToken.
> > >
> > > There's no work-around that you can do due to security restrictions in
> > > Keycloak. Keycloak makes sure that the callback can only be called if
> it
> > > indeed made the original request.
> > >
> > > ----- Original Message -----
> > > > From: "Christian Beikov" <christian.beikov at gmail.com>
> > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > Sent: Wednesday, 3 December, 2014 9:11:55 AM
> > > > Subject: Re: [keycloak-dev] Login with Access Token
> > > >
> > > > Thanks for the quick answer. Could you maybe give me a hint on how I
> > > could
> > > > implement that in a quick-and-dirty way? Could I maybe do some iframe
> > > magic
> > > > in a hidden webview to do the login? I am not quite sure how the
> social
> > > > login works exactly. Facebook will redirect me back to the social
> > > callback
> > > > address after a login, but how does keycloak actually retrieve that
> > > access
> > > > token? If I knew that, I could maybe create a workaround for now and
> > > maybe
> > > > also contribute something? :)
> > > >
> > > > 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Christian Beikov" <christian.beikov at gmail.com>
> > > > > > To: keycloak-dev at lists.jboss.org
> > > > > > Sent: Tuesday, 2 December, 2014 6:58:42 PM
> > > > > > Subject: [keycloak-dev] Login with Access Token
> > > > > >
> > > > > > Hello!
> > > > > >
> > > > > > I am new to OAuth so sorry if my question is dumb.
> > > > > > I have an App which wants to provide a custom and Facebook login.
> > > Since
> > > > > many
> > > > > > people already have the Facebook App installed, I thought it
> might be
> > > > > better
> > > > > > to give them the native experience and use the Facebook SDK to
> > > implement
> > > > > the
> > > > > > login.
> > > > > > The problem now is, that I have the Access Token from the
> successful
> > > > > Facebook
> > > > > > login, but don't know how to properly login at the Keycloak
> server
> > > with
> > > > > > that.
> > > > > >
> > > > > > Any ideas on how to do that? Or is that even stupid and is there
> a
> > > better
> > > > > > way?
> > > > >
> > > > > Not at all a dumb question and we actually had someone else ask the
> > > same
> > > > > last week.
> > > > >
> > > > > Currently, Keycloak does not support this flow, but it something
> we may
> > > > > consider adding.
> > > > >
> > > > > > --
> > > > > >
> > > > > > Mit freundlichen Grüßen,
> > > > > >
> > > > > > Christian Beikov
> > > > > >
> > > > > > _______________________________________________
> > > > > > keycloak-dev mailing list
> > > > > > keycloak-dev at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Mit freundlichen Grüßen,
> > > >
> > > >
> > > > *Christian Beikov*Blazebit Design & Developing
> > > > http://www.blazebit.com
> > > >
> > >
> >
> >
> >
> > --
> >
> > Mit freundlichen Grüßen,
> >
> >
> > *Christian Beikov*Blazebit Design & Developing
> > http://www.blazebit.com
> >
>

-- 

Mit freundlichen Grüßen,

*Christian Beikov*Blazebit Design & Developing
http://www.blazebit.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20141203/3f383891/attachment.html 