[keycloak-dev] Ok to have no direct links to...

Stian Thorgersen stian at redhat.com
Wed Oct 1 03:53:16 EDT 2014 


----- Original Message -----
> From: "Bruno Oliveira" <bruno at abstractj.org>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Summers Pittman" <supittma at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Wednesday, 1 October, 2014 9:37:59 AM
> Subject: Re: [keycloak-dev] Ok to have no direct links to...
> 
> Hi Stian, that's cool if it's planned for the further releases.

We haven't planned anything (have we?). With regards to SDKs for Android and iOS (and that pesky Windows thing) we're hoping to delegate it all to you guys ;)

> 
> The major concern here is about a vulnerability which can be exploit on
> Android < 4.2 — most of Android devices
> (http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface).

There's no JS in Keycloak login forms or account management, it's all just plain-old html. Maybe it's possible to disable JS in the webviews which would eliminate this exploit?

> 
> We can go with Webview and improve later.
> 
> Thanks a lot.
> 
> On 2014-10-01, Stian Thorgersen wrote:
> > I agree that a non-webview approach may have benefits. However, there's a
> > lot of functionality that would have to be reproduced for all platforms.
> > Alternatively, we could support a limited set of functionality without a
> > webview, and if anything else is required use a webview, or even pop up
> > the browser.
> >
> > On Android, Google uses a webview if you have Google Authenticator enabled.
> >
> > For a complete experience the following is currently required:
> >
> > * Login (username/password)
> >   - Social logins (configurable through realm)
> >   - Recover password link
> >   - Registration link
> >   - Remember me option
> > * Multi-factor authenticating (soon we'll support pluggable auth
> > mechanisms)
> > * Registration page (fields will be configurable in the future)
> > * Required actions (update profile, reset password, verify email, configure
> > totp)
> >
> > Then there's also single-sign on/out to consider.
> >
> > All of the above can be done in a native way already by just doing the same
> > HTTP posts as the login forms does. However, even a basic login would be
> > tricky to do due to multi-factor authentication.
> >
> > ----- Original Message -----
> > > From: "Bruno Oliveira" <bruno at abstractj.org>
> > > To: "Summers Pittman" <supittma at redhat.com>
> > > Cc: keycloak-dev at lists.jboss.org
> > > Sent: Wednesday, 1 October, 2014 1:06:13 AM
> > > Subject: Re: [keycloak-dev] Ok to have no direct links to...
> > >
> > > Back from vacations, I think would be nice if it doesn't exist already
> > > endpoints like Corinne mentioned.
> > >
> > > Webviews from the security side of the things are a bad idea for mobile
> > > apps.
> > > I wouldn't like
> > > to use that if possible.
> > >
> > > On 2014-09-30, Summers Pittman wrote:
> > > > On 9/30/2014 9:31 AM, Bill Burke wrote:
> > > > >
> > > > > On 9/30/2014 9:28 AM, Corinne Krych wrote:
> > > > >> On 26 Sep 2014, at 17:27, Bill Burke <bburke at redhat.com> wrote:
> > > > >>
> > > > >>> I need some input.
> > > > >>>
> > > > >>> It is ok for, registration page and social link buttons to only be
> > > > >>> linkable from within a Keycloak login page?
> > > > >>>
> > > > >> When you say keyclaok login page, does it have to ba web-based page?
> > > > >>
> > > > >> What about mobile native app?
> > > > >> It would be nice to have the option for an iOS mobile app to add
> > > > >> “MykeycloakServername login” customizable button from the native app
> > > > >> sdk.
> > > > >> Like google+plus btutton for example:
> > > > >> https://developers.google.com/+/mobile/ios/sign-in
> > > > >>
> > > > > Somebody on the Aerogear project implemented something like this for
> > > > > Android.  They may be doing the same for iOS too.
> > > > I have no plans on doing things for iOS. The Android Authenticator just
> > > > displays a webview of the login page and detects when then "code"
> > > > parameter is in the response URI.
> > > > >
> > > > > Bill
> > > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> > > --
> > >
> > > abstractj
> > > PGP: 0x84DC9914
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> --
> 
> abstractj
> PGP: 0x84DC9914
>

More information about the keycloak-dev mailing list