[keycloak-user] Default client for a realm

Thomas Darimont thomas.darimont at googlemail.com
Tue Feb 9 11:18:59 EST 2016


Thanks for your input :)

The redirect would only work after a successful authentication,
so unauthenticated users couldn't "probe" the realm for clients / target
urls.

But I see your point that an authenticated "malicious" user could probe all
clients if he knew all clientIds (potentially via the new API).
Perhaps one could offer a way to define some kind of grouping concept to
describe
which clients that can see each other (client group?) - so only clients
from within the
same group would be eligible for such a redirect.

Btw. I adapted your suggestion regarding the endpoint path (which is now:
{realm}/clients/{client_id}/redirect)
and created a JIRA issue [0] and PR [1] with my current impl as a base for
further discussion.

> Another thing is that it is related to a feature we want to add at some
point.
> We'd like to be able to have a SSO > page that lists all clients,
including icons and links to the clients.
> This would have two use-cases:
> 1. As a landing page on SSO server, and as a way for users to find all
applications they can login to

This would be really helpful - is this supposed to replace the applications
section in the account page?

> 2. A rest service would enable applications to get a list of all clients
and provide a link
> to other applications in the realm (like Google does with the square
boxes icon)

This would also be very helpful, currently I pull the information with the
keycloak admin client
in order to render such a page. A dedicated endpoint that returns clients
metadata in JSON format
would be neat. Are you planning to just build a dedicated page of all apps
or also a html/js widget like the 9 square app selector?

[0] https://issues.jboss.org/browse/KEYCLOAK-2469
[1] https://github.com/keycloak/keycloak/pull/2202


2016-02-09 12:18 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> One concern with including this is if there's some potential way it can be
> a vulnerability.
>
> The only thing I can think of is that it allows figuring out the base url
> for a client. That could then be used to figure out valid redirect uris for
> a client. Don't think that's a huge deal though.
>
> Another thing is that it is related to a feature we want to add at some
> point. We'd like to be able to have a SSO page that lists all clients,
> including icons and links to the clients. This would have two use-cases:
> 1. As a landing page on SSO server, and as a way for users to find all
> applications they can login to
> 2. A rest service would enable applications to get a list of all clients
> and provide a link to other applications in the realm (like Google does
> with the square boxes icon)
>
> With that in mind it would be better if the URL for client redirect was
> "{realm}/clients/{client-id}/redirect" as that would allows us to use
> "{realm}/clients" in the future for the above feature. "{realm}/clients" is
> already used by ClientRegistrationService, but I think we can move that to
> "{realm}/clients/registration" as there's probably not that many people
> that are using the client registration service yet.
>
> On 9 February 2016 at 12:02, Thomas Darimont <
> thomas.darimont at googlemail.com> wrote:
>
>> Hello,
>>
>> any ideas regarding this?
>>
>> We need to link to a default application from several applications and it
>> would be helpful if keycloak would provide said redirect mechanism, such
>> that
>> each application would only need to know the clientId of the default
>> client application and keycloak performs the proper redirect to the actual
>> target application.
>>
>> The example posted earlier works like a charm. This could even be
>> extended to the point that in case no clientId is given keycloak can decide
>> which client to redirect to.
>>
>> Cheers,
>> Thomas
>>
>> 2016-02-05 19:05 GMT+01:00 Thomas Darimont <
>> thomas.darimont at googlemail.com>:
>>
>>> Quick update - I did some further experiments with this...
>>>
>>> I added /redirect path to the a
>>> org.keycloak.services.resources.RealmsResource
>>> like: @Path("{realm}/{client-id}/redirect")
>>> see code fragment below.
>>>
>>> This allows keycloak to initiate a redirect to the browser with the
>>> actual
>>> target url of the client. Other clients now only need to now the realm
>>> and clientId
>>> to generate a link that eventually redirects to the target application.
>>>
>>> Usage:
>>> GET http://localhost:8081/auth/realms/master/launchpad/redirect -> 302
>>> response with location: http://apps.corp.local/launchpad
>>>
>>> Any chance to get this in as a PR?
>>>
>>> Cheers,
>>> Thomas
>>>
>>>     @GET
>>>     @Path("{realm}/{client-id}/redirect")
>>>     public Response getRedirect(final @PathParam("realm") String
>>> realmName, final @PathParam("client-id") String clientId) throws Exception{
>>>
>>>         RealmModel realm = init(realmName);
>>>
>>>         if (realm == null){
>>>             return null;
>>>         }
>>>
>>>         ClientModel client = realm.getClientByClientId(clientId);
>>>
>>>         if (client == null){
>>>             return null;
>>>         }
>>>
>>>         if (client.getRootUrl() == null){
>>>             return
>>> Response.temporaryRedirect(uriInfo.getAbsolutePathBuilder().replacePath(client.getBaseUrl()).build()).build();
>>>         }
>>>
>>>         return Response.temporaryRedirect(URI.create(client.getRootUrl()
>>> + client.getBaseUrl())).build();
>>>     }
>>>
>>> 2016-02-05 16:23 GMT+01:00 Thomas Darimont <
>>> thomas.darimont at googlemail.com>:
>>>
>>>> Hello,
>>>>
>>>> 2016-02-05 15:22 GMT+01:00 Thomas Raehalme <
>>>> thomas.raehalme at aitiofinland.com>:
>>>>
>>>>> I understand this as well, but it has not been uncommon to encounter a
>>>>> situation where the user needs to know where to go next, because Keycloak
>>>>> doesn't have a link available.
>>>>
>>>>
>>>> with a redirect facility as outlined above - one could render a link to
>>>> the "$KEYCLOAK_BASE_URL/redirect" or
>>>> lookup the "default" client in order to render the client base url link
>>>> with a proper label (client name).
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160209/cdbd1a01/attachment-0001.html 


More information about the keycloak-user mailing list