[keycloak-dev] Ok to have no direct links to...

Corinne Krych corinnekrych at gmail.com
Wed Oct 1 05:19:56 EDT 2014


On 01 Oct 2014, at 09:53, Stian Thorgersen <stian at redhat.com> wrote:

> 
> 
> ----- Original Message -----
>> From: "Bruno Oliveira" <bruno at abstractj.org>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: "Summers Pittman" <supittma at redhat.com>, keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 1 October, 2014 9:37:59 AM
>> Subject: Re: [keycloak-dev] Ok to have no direct links to...
>> 
>> Hi Stian, that's cool if it's planned for the further releases.
> 
> We haven't planned anything (have we?). With regards to SDKs for Android and iOS (and that pesky Windows thing) we're hoping to delegate it all to you guys ;)


Let’s hold the discussion here. Let me do a demo app on my side in iOS and get back to you just to mekae sure I can implement it.
what i want isan opeinid connect authz code flow as described in spec:
http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

without embedded browser but  rather an external browser as we used for oauth2 authz code.

Stiant do I have all i need on keycloak to configure it this way? that was my original question...
Maybe with sample test we can clear out the misunderstanding...


> 
>> 
>> The major concern here is about a vulnerability which can be exploit on
>> Android < 4.2 — most of Android devices
>> (http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface).
> 
> There's no JS in Keycloak login forms or account management, it's all just plain-old html. Maybe it's possible to disable JS in the webviews which would eliminate this exploit?
> 
>> 
>> We can go with Webview and improve later.
>> 
>> Thanks a lot.
>> 
>> On 2014-10-01, Stian Thorgersen wrote:
>>> I agree that a non-webview approach may have benefits. However, there's a
>>> lot of functionality that would have to be reproduced for all platforms.
>>> Alternatively, we could support a limited set of functionality without a
>>> webview, and if anything else is required use a webview, or even pop up
>>> the browser.
>>> 
>>> On Android, Google uses a webview if you have Google Authenticator enabled.
>>> 
>>> For a complete experience the following is currently required:
>>> 
>>> * Login (username/password)
>>>  - Social logins (configurable through realm)
>>>  - Recover password link
>>>  - Registration link
>>>  - Remember me option
>>> * Multi-factor authenticating (soon we'll support pluggable auth
>>> mechanisms)
>>> * Registration page (fields will be configurable in the future)
>>> * Required actions (update profile, reset password, verify email, configure
>>> totp)
>>> 
>>> Then there's also single-sign on/out to consider.
>>> 
>>> All of the above can be done in a native way already by just doing the same
>>> HTTP posts as the login forms does. However, even a basic login would be
>>> tricky to do due to multi-factor authentication.
>>> 
>>> ----- Original Message -----
>>>> From: "Bruno Oliveira" <bruno at abstractj.org>
>>>> To: "Summers Pittman" <supittma at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Wednesday, 1 October, 2014 1:06:13 AM
>>>> Subject: Re: [keycloak-dev] Ok to have no direct links to...
>>>> 
>>>> Back from vacations, I think would be nice if it doesn't exist already
>>>> endpoints like Corinne mentioned.
>>>> 
>>>> Webviews from the security side of the things are a bad idea for mobile
>>>> apps.
>>>> I wouldn't like
>>>> to use that if possible.
>>>> 
>>>> On 2014-09-30, Summers Pittman wrote:
>>>>> On 9/30/2014 9:31 AM, Bill Burke wrote:
>>>>>> 
>>>>>> On 9/30/2014 9:28 AM, Corinne Krych wrote:
>>>>>>> On 26 Sep 2014, at 17:27, Bill Burke <bburke at redhat.com> wrote:
>>>>>>> 
>>>>>>>> I need some input.
>>>>>>>> 
>>>>>>>> It is ok for, registration page and social link buttons to only be
>>>>>>>> linkable from within a Keycloak login page?
>>>>>>>> 
>>>>>>> When you say keyclaok login page, does it have to ba web-based page?
>>>>>>> 
>>>>>>> What about mobile native app?
>>>>>>> It would be nice to have the option for an iOS mobile app to add
>>>>>>> “MykeycloakServername login” customizable button from the native app
>>>>>>> sdk.
>>>>>>> Like google+plus btutton for example:
>>>>>>> https://developers.google.com/+/mobile/ios/sign-in
>>>>>>> 
>>>>>> Somebody on the Aerogear project implemented something like this for
>>>>>> Android.  They may be doing the same for iOS too.
>>>>> I have no plans on doing things for iOS. The Android Authenticator just
>>>>> displays a webview of the login page and detects when then "code"
>>>>> parameter is in the response URI.
>>>>>> 
>>>>>> Bill
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> 
>>>> --
>>>> 
>>>> abstractj
>>>> PGP: 0x84DC9914
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> 
>> --
>> 
>> abstractj
>> PGP: 0x84DC9914
>> 
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list