[keycloak-dev] Login with Access Token

Stian Thorgersen stian at redhat.com
Tue Dec 16 09:17:38 EST 2014 


----- Original Message -----
> From: "Christian Beikov" <christian.beikov at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 16 December, 2014 12:42:26 PM
> Subject: Re: [keycloak-dev] Login with Access Token
> 
> Is there a JIRA issue for that feature? I would like to help with this
> regard since I really would like to see support for that in an upcoming
> release.

I've just created https://issues.jboss.org/browse/KEYCLOAK-890. If you'd like to look at it that'd be great as we have loads of work atm, so not sure we'd have time ourselves. One thing to note is that we'd have to start with a POC and review it first. I can't guarantee that it's something we'd actually add either.

> 
> Mit freundlichen Grüßen,
> ------------------------------------------------------------------------
> *Christian Beikov*
> Am 03.12.2014 um 12:31 schrieb Stian Thorgersen:
> > Just thought of a reason why it won't work. The link to login with Facebook
> > is to the Keycloak server, which then sets the required state before
> > redirecting to Facebook.
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "Christian Beikov" <christian.beikov at gmail.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Wednesday, 3 December, 2014 12:30:03 PM
> >> Subject: Re: [keycloak-dev] Login with Access Token
> >>
> >> The callback to Keycloak expects a code, not a token, so I don't think it
> >> would work unless you modify Keycloak's Facebook provider. I can't think
> >> of
> >> any other reasons why it wouldn't work.
> >>
> >> ----- Original Message -----
> >>> From: "Christian Beikov" <christian.beikov at gmail.com>
> >>> To: "Stian Thorgersen" <stian at redhat.com>
> >>> Cc: keycloak-dev at lists.jboss.org
> >>> Sent: Wednesday, 3 December, 2014 11:04:05 AM
> >>> Subject: Re: [keycloak-dev] Login with Access Token
> >>>
> >>> I was thinking of something like the following as a workaround
> >>>
> >>> 1. Create a hidden iframe in a webview that navigates to the login page
> >>> of
> >>> the keycloak server.
> >>> 2. Extract the state from the link of the Facebook login
> >>> 3. Start the login with the native SDK
> >>> 4. On success navigate in the iframe to the social callback
> >>> 5. Use some keycloak token to act as the logged in user
> >>>
> >>> Regarding 4. I am not sure what URL I should invoke exactly. I guess I
> >>> have
> >>> to append the state parameter to it, but I couldn't find out exactly and
> >>> I
> >>> haven't debugged that far yet.
> >>> Regarding 5. I don't know how to retrieve that keycloak token from the
> >>> iframe, but I hope there is a way.
> >>>
> >>> For this to work I will probably have to add some CORS http headers that
> >>> will allow localhost so that the app can access the iframe. Although this
> >>> makes it vulnerable, since every localhost app could then "steal" the
> >>> keycloak token, it would do the job for now.
> >>>
> >>> What do you think? Could that work?
> >>>
> >>> 2014-12-03 9:43 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> >>>
> >>>> Keycloak generates a special state parameter. It consists of two parts,
> >>>> a
> >>>> signature and an id. The id is used to lookup a session in Keycloak,
> >>>> while
> >>>> the signature is then used to verify that specific request is valid (a
> >>>> session can only be used for one thing at a time, for example a social
> >>>> login). By design there's no way you can generate this yourself unless
> >>>> you
> >>>> have access to the Keycloak database.
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Christian Beikov" <christian.beikov at gmail.com>
> >>>>> To: "Stian Thorgersen" <stian at redhat.com>, keycloak-dev at lists.jboss.org
> >>>>> Sent: Wednesday, 3 December, 2014 9:33:20 AM
> >>>>> Subject: Re: [keycloak-dev] Login with Access Token
> >>>>>
> >>>>> I am wondering how you do that. I know that there is a state parameter
> >>>> that
> >>>>> is added to the facebook login url, but I could just make an initial
> >>>>> request to keycloak to copy that, or did I understand something wrong?
> >>>>>
> >>>>> 2014-12-03 9:22 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> >>>>>
> >>>>>> It's code that is currently changing as we're working on adding
> >>>> enterprise
> >>>>>> IdP's as well as social IdP's we have at the moment.
> >>>>>>
> >>>>>> I think the correct approach would be to use the direct grant api,
> >>>> which
> >>>>>> currently lets you exchange a username + password for a Keycloak
> >>>> token, we
> >>>>>> could add an option here to pass in a token from an external IdP to
> >>>>>> exchange for a internal Keycloak token. If you're interested in
> >>>> looking at
> >>>>>> the code look at OpenIDConnectService.grantAccessToken.
> >>>>>>
> >>>>>> There's no work-around that you can do due to security restrictions
> >>>>>> in
> >>>>>> Keycloak. Keycloak makes sure that the callback can only be called if
> >>>> it
> >>>>>> indeed made the original request.
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Christian Beikov" <christian.beikov at gmail.com>
> >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>> Sent: Wednesday, 3 December, 2014 9:11:55 AM
> >>>>>>> Subject: Re: [keycloak-dev] Login with Access Token
> >>>>>>>
> >>>>>>> Thanks for the quick answer. Could you maybe give me a hint on how
> >>>>>>> I
> >>>>>> could
> >>>>>>> implement that in a quick-and-dirty way? Could I maybe do some
> >>>>>>> iframe
> >>>>>> magic
> >>>>>>> in a hidden webview to do the login? I am not quite sure how the
> >>>> social
> >>>>>>> login works exactly. Facebook will redirect me back to the social
> >>>>>> callback
> >>>>>>> address after a login, but how does keycloak actually retrieve that
> >>>>>> access
> >>>>>>> token? If I knew that, I could maybe create a workaround for now
> >>>>>>> and
> >>>>>> maybe
> >>>>>>> also contribute something? :)
> >>>>>>>
> >>>>>>> 2014-12-03 8:48 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> >>>>>>>
> >>>>>>>>
> >>>>>>>> ----- Original Message -----
> >>>>>>>>> From: "Christian Beikov" <christian.beikov at gmail.com>
> >>>>>>>>> To: keycloak-dev at lists.jboss.org
> >>>>>>>>> Sent: Tuesday, 2 December, 2014 6:58:42 PM
> >>>>>>>>> Subject: [keycloak-dev] Login with Access Token
> >>>>>>>>>
> >>>>>>>>> Hello!
> >>>>>>>>>
> >>>>>>>>> I am new to OAuth so sorry if my question is dumb.
> >>>>>>>>> I have an App which wants to provide a custom and Facebook
> >>>>>>>>> login.
> >>>>>> Since
> >>>>>>>> many
> >>>>>>>>> people already have the Facebook App installed, I thought it
> >>>> might be
> >>>>>>>> better
> >>>>>>>>> to give them the native experience and use the Facebook SDK to
> >>>>>> implement
> >>>>>>>> the
> >>>>>>>>> login.
> >>>>>>>>> The problem now is, that I have the Access Token from the
> >>>> successful
> >>>>>>>> Facebook
> >>>>>>>>> login, but don't know how to properly login at the Keycloak
> >>>> server
> >>>>>> with
> >>>>>>>>> that.
> >>>>>>>>>
> >>>>>>>>> Any ideas on how to do that? Or is that even stupid and is
> >>>>>>>>> there
> >>>> a
> >>>>>> better
> >>>>>>>>> way?
> >>>>>>>> Not at all a dumb question and we actually had someone else ask
> >>>>>>>> the
> >>>>>> same
> >>>>>>>> last week.
> >>>>>>>>
> >>>>>>>> Currently, Keycloak does not support this flow, but it something
> >>>> we may
> >>>>>>>> consider adding.
> >>>>>>>>
> >>>>>>>>> --
> >>>>>>>>>
> >>>>>>>>> Mit freundlichen Grüßen,
> >>>>>>>>>
> >>>>>>>>> Christian Beikov
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> keycloak-dev mailing list
> >>>>>>>>> keycloak-dev at lists.jboss.org
> >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>>
> >>>>>>> Mit freundlichen Grüßen,
> >>>>>>>
> >>>>>>>
> >>>>>>> *Christian Beikov*Blazebit Design & Developing
> >>>>>>> http://www.blazebit.com
> >>>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>>
> >>>>> Mit freundlichen Grüßen,
> >>>>>
> >>>>>
> >>>>> *Christian Beikov*Blazebit Design & Developing
> >>>>> http://www.blazebit.com
> >>>>>
> >>>
> >>>
> >>> --
> >>>
> >>> Mit freundlichen Grüßen,
> >>>
> >>>
> >>> *Christian Beikov*Blazebit Design & Developing
> >>> http://www.blazebit.com
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
>

More information about the keycloak-dev mailing list