[keycloak-user] Mobile Game Authentication Flow

Bill Burke bburke at redhat.com
Tue Feb 28 15:34:47 EST 2017


You want users to be able to login through a social provider?  We don't 
have a REST-based social login abstraction.  Its all browser based.  
Keycloak delegates authentication to social providers. One big problem 
is that not all social providers are necessarily password only.  
Depending on the user they might require an OTP or code sent by SMS.  
So, unless the provider has some kind of challenge response REST API, we 
wouldn't know what to prompt for credentials.

For registration you're going to have to write some custom backend that 
sits between your mobile app and Keycloak.  Right now, we don't have a 
REST api for unauthenticated user registration.  We also don't have fine 
grain roles so you can say a particular user account is allowed to 
register new users.

For mobile, we were hoping that apps would do mobile redirects to the 
phone's browser. Our web pages are completely themable and customizable 
so that you could brand them to your company.


On 2/28/17 2:06 PM, Mat Pataki wrote:
> Hello!
>
> I'm a developer at a mobile gaming company, and I'm trying to better
> understand how/if KeyCloak fits within the paradigm that we have, and that
> I believe also to be pretty typical in this space. At the moment I am
> specifically interested in User Registration and Authentication. I should
> say that I've spent a larger amount of time with the documentation before
> turning here, so hopefully I'm not missing something completely obvious
> (although I can't really rule that out!).
>
> Third party identity providers such as facebook and google provide mobile
> SDKs that are capable of completing the OAuth2 flow with their respective
> identity platforms. In the end, our consuming mobile apps receive an access
> token if all goes well. We send this token to our current custom backend
> authentication solution which will validate them, obtain an ID from the
> identity provider, and link that ID to our own internal ID for the user.
> It's this backend component that I would like to replace with KeyCloak.
>
> For reference, I see very similar code to this in the KeyCloak source, here
> <https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java>,
> which is encouraging!
>
> The problem however, is that KC's social login flow, and seemingly the
> custom SPI flows as well, all begin with the web based registration page.
> For our use case, we would like to avoid directing our users away from our
> app during this process, and in fact avoid performing the OAuth2 flow
> between us and facebook, for example, entirely. This is something we have
> today via these client SDKs.
>
> Down the line we plan to use KeyCloak for it's more traditional use cases,
> including securing our own micro serves and applications, but that's
> assuming that we can solve this problem.
>
> Any advice would be greatly appreciated! Thanks in advance!
>
> Mat
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list