[keycloak-dev] Support for installed applications added (including example)

Stian Thorgersen stian at redhat.com
Fri Mar 7 09:13:35 EST 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 7 March, 2014 1:26:50 PM
> Subject: Re: [keycloak-dev] Support for installed applications added (including example)
> 
> Couuldn't a lot of the example be pulled into an adapter library and
> reused?  

Yes, that would be good. I mainly wanted to tick the box that we support installed applications. With these redirect uris we can claim we support CLI, desktop apps, etc..

> Also, is there any security hole you've introduced with being
> able to cut/paste the access token from the browser?  If there is a
> public client, can a hacker now get an access token?

Don't think so. It's just the code that's available not the token, and that's available from the query param in either case. It just displays it in the title and page instead.

BTW this is exactly what Google provides (https://developers.google.com/accounts/docs/OAuth2InstalledApp). 

> 
> Another thing, Android and iOS native apps can redirect to the browser
> (and vice versa), wouldn't that approach be used in mobile over this?

For iOS, and probably Android as well, a custom URL scheme is used to redirect to the application itself (something like myapp://oauth2?code=<...>).

I'm working on Cordova ATM and it's using http://localhost, but it's a bit of cheat as it doesn't start a web server instead of just gets the code and closes the browser before the page not found is displayed to the user.

> 
> On 3/6/2014 7:15 AM, Stian Thorgersen wrote:
> > Support for installed applications in form of two special redirect uris
> > (urn:ietf:wg:oauth:2.0:oob and http://localhost) has been added.
> >
> > There's also a basic example. To try it out start the server as normal,
> > create an app for it (mark it as public). Download the keycloak.json file.
> > Then run:
> >
> > # mvn -pl examples/demo-template/customer-app-cli install exec:java
> > -Dexec.args="<path to keycloak.json>"
> >
> > You can then run different commands to try it out. It has two different
> > ways to login the user:
> >
> > * login-desktop: this opens a ServerSocket on a local port, opens the login
> > url in the browser, after login the ServerSocket is used to retrieve the
> > code
> > * login-manual: this uses the 'urn:ietf:wg:oauth:2.0:oob' redirect to
> > display the code in the browser and the user has to manually copy/paste
> > this into the application
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list