[keycloak-dev] Ok to have no direct links to...

Bruno Oliveira bruno at abstractj.org
Wed Oct 1 03:37:59 EDT 2014


Hi Stian, that's cool if it's planned for the further releases.

The major concern here is about a vulnerability which can be exploit on
Android < 4.2 — most of Android devices
(http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface).

We can go with Webview and improve later.

Thanks a lot.

On 2014-10-01, Stian Thorgersen wrote:
> I agree that a non-webview approach may have benefits. However, there's a lot of functionality that would have to be reproduced for all platforms. Alternatively, we could support a limited set of functionality without a webview, and if anything else is required use a webview, or even pop up the browser.
>
> On Android, Google uses a webview if you have Google Authenticator enabled.
>
> For a complete experience the following is currently required:
>
> * Login (username/password)
>   - Social logins (configurable through realm)
>   - Recover password link
>   - Registration link
>   - Remember me option
> * Multi-factor authenticating (soon we'll support pluggable auth mechanisms)
> * Registration page (fields will be configurable in the future)
> * Required actions (update profile, reset password, verify email, configure totp)
>
> Then there's also single-sign on/out to consider.
>
> All of the above can be done in a native way already by just doing the same HTTP posts as the login forms does. However, even a basic login would be tricky to do due to multi-factor authentication.
>
> ----- Original Message -----
> > From: "Bruno Oliveira" <bruno at abstractj.org>
> > To: "Summers Pittman" <supittma at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 1 October, 2014 1:06:13 AM
> > Subject: Re: [keycloak-dev] Ok to have no direct links to...
> >
> > Back from vacations, I think would be nice if it doesn't exist already
> > endpoints like Corinne mentioned.
> >
> > Webviews from the security side of the things are a bad idea for mobile apps.
> > I wouldn't like
> > to use that if possible.
> >
> > On 2014-09-30, Summers Pittman wrote:
> > > On 9/30/2014 9:31 AM, Bill Burke wrote:
> > > >
> > > > On 9/30/2014 9:28 AM, Corinne Krych wrote:
> > > >> On 26 Sep 2014, at 17:27, Bill Burke <bburke at redhat.com> wrote:
> > > >>
> > > >>> I need some input.
> > > >>>
> > > >>> It is ok for, registration page and social link buttons to only be
> > > >>> linkable from within a Keycloak login page?
> > > >>>
> > > >> When you say keyclaok login page, does it have to ba web-based page?
> > > >>
> > > >> What about mobile native app?
> > > >> It would be nice to have the option for an iOS mobile app to add
> > > >> “MykeycloakServername login” customizable button from the native app
> > > >> sdk.
> > > >> Like google+plus btutton for example:
> > > >> https://developers.google.com/+/mobile/ios/sign-in
> > > >>
> > > > Somebody on the Aerogear project implemented something like this for
> > > > Android.  They may be doing the same for iOS too.
> > > I have no plans on doing things for iOS. The Android Authenticator just
> > > displays a webview of the login page and detects when then "code"
> > > parameter is in the response URI.
> > > >
> > > > Bill
> > > >
> > >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list