[keycloak-dev] Native mobile OAuth2 keycloak flows

Corinne Krych corinnekrych at gmail.com
Mon Oct 6 09:59:55 EDT 2014


On 06 Oct 2014, at 15:18, Stian Thorgersen <stian at redhat.com> wrote:

> 
> 
> ----- Original Message -----
>> From: "Corinne Krych" <corinnekrych at gmail.com>
>> To: "keycloak-user at lists.jboss.org" <keycloak-dev at lists.jboss.org>
>> Sent: Monday, 6 October, 2014 11:09:11 AM
>> Subject: [keycloak-dev] Native mobile OAuth2 keycloak flows
>> 
>> Hello Keycloak team,
>> 
>> On native app, our aerogear-oauth2 sdk supports the following flows:
>> - oauth2 authz code (publicl client) bearer-only using external browser. See
>> Shoot demo.
>> - oauth2 refresh grant
>> - oauth2 revoke (using logout endpoint to revoke all refresh/access tokens).
>> 
>> We have a iOS demo [1] and its associated backend [2] which shows how to use
>> authz code grant on Google, Facebook and Keycloak using aerogear oauth2 sdk
>> [3]. For Android we have same level features [4] (just missing the Shoot
>> demo).
>> 
>> To come in next release:
>> - openID flow based on authz code (need an extra token decoding to get ID
>> information) with a ui button “login with your keyclakbackend account”.
>> Thanks to Stian I managed the base64url decoding...
>> - direct grant (resource owner grant).
>> - basic auth support for confidential mode
>> 
>> I’m thinking to do a Keyclaok (only) HelloWorld demo which show all different
>> use cases.
>> 
>> Therefore the question: What other use cases do I miss? Feedback welcome.
> 
> A few things I can think of:
> 
> * SSO - on Android you can add shared accounts (SSO to multiple apps), is something like this available on iOS
> * Social login through Keycloak - does this currently work? Again, does iOS have the concept of shared accounts for social networks, how can we utilize these?

iOS have shared social networks embedded in the OS directly but it’s not opened. It’s a place where your put your credentials.
But iOS8 Social.framework is limited to set of providers (Facebook, twitter)
see my blog post on the subject:
http://corinnekrych.blogspot.fr/2014/06/different-ways-to-manage-facebook.html

One way to go for SSO will be to store oauth2 token in keychain (as we currently do) and use sharing data between keychain. I’ll dig that one. Let’s track with:
https://issues.jboss.org/browse/AGIOS-285 


> * Roles - Keycloak tokens contains permitted roles. Some applications may wish to show/hide features depending on permissions.
> 

Let me add a ticket for that to enhance Shoot demo.
https://issues.jboss.org/browse/AGIOS-286

Thanks Stian!

>> 
>> ++
>> Corinne
>> AeroGear iOS
>> ———————————
>> [1] https://github.com/aerogear/aerogear-ios-cookbook/tree/swift/Shoot
>> [2]
>> https://github.com/corinnekrych/aerogear-backend-cookbook/blob/master/Shoot/README.md
>> [3] https://github.com/aerogear/aerogear-ios-oauth2
>> [4] https://github.com/aerogear/aerogear-android-authz
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list