[keycloak-user] SSO in web and desktop application
Emanuele Gesuato
Emanuele.Gesuato at finantix.com
Mon Apr 16 05:26:48 EDT 2018
Hi,
just a quick update in case any of you have some hints to share.
I am trying to use "impersonate" rest api in order to get a fresh token
for the user I want to use in my application.
By using following CURL I am able to get this new token for my "target"
user:
curl --verbose -X POST "
http://<host>/auth/realms/master/protocol/openid-connect/token" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
--data-urlencode
"requested_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "requested_subject=${USER_ID}" \
-d "audience=${TARGET_CLIENT}" \
-d "client_id=${SOURCE_CLIENT}" \
-d "subject_token=${TKN}"
but it is not enough, because to fully impersonate the user in my web
application I need a fresh JSESSIONID. By getting JSESSIONID I can store
it as a cookie and in this way I can skip the keycloak login page.
Is the token meant to be used only in rest api ? Am I missing something ?
thanks for any help,
Emanuele
From: Luis Rodríguez Fernández <uo67113 at gmail.com>
To: keycloak-user at lists.jboss.org
Date: 13/04/2018 17:26
Subject: Re: [keycloak-user] SSO in web and desktop application
Sent by: keycloak-user-bounces at lists.jboss.org
Hello Emanuele,
You are welcome, sorry for not being more helpful.
I must to admit that I did not try openid for any of my services.
I do believe that you could drop that question on the openId support
forum:
https://getsatisfaction.com/openid
Hope it helps,
Luis
2018-04-12 15:49 GMT+02:00 Emanuele Gesuato
<Emanuele.Gesuato at finantix.com>:
> Hi Luis,
>
> thank you very much for your support, I really appreciate.
>
> Do you think it would be possible if we use openId instead of saml ?
> Can we share some token in order to "share" authentication among
different
> clients ?
>
> Thanks,
> Emanuele
>
>
>
>
> From: Luis Rodríguez Fernández <uo67113 at gmail.com>
> To: keycloak-user at lists.jboss.org
> Date: 11/04/2018 18:59
> Subject: Re: [keycloak-user] SSO in web and desktop application
> Sent by: keycloak-user-bounces at lists.jboss.org
>
>
>
> Hello Emanuele,
>
> Please, forget about the servlet filter, at the beginning I thought that
> the "client-server application developed in java" was not using any
> keycloak adaptor, sorry for the confusion.
>
> No, SAML does not provide a token that you can share between different
> clients.
>
> You could think about share the cookies between the browser and the
> "client-server" app, but this is a horrible hack. I would warn you to
> avoid
> this way :)
>
> Me, personally I would explore these two options:
>
> a) Dedicated browser to automatically use the windows/kerberos
credentials
> of the logged user.
> b) Let the dedicated browser redirect the user to the IdP login page.
Yes,
> users has to authenticate, but it will save you a lot of headache...
>
> If you are using chrome there are extensions that apparently let you
share
> sessions between devices (
> https://chrome.google.com/webstore/detail/sessionbox-free-multi-log/
> megbklhjamjbcafknkgmokldgolkdfig
> ).
> You can give it a try, but me honestly, I do not like that option very
> much...
>
> Cheers,
>
> Luis
>
>
>
>
>
>
>
>
>
> 2018-04-06 18:38 GMT+02:00 Emanuele Gesuato
> <Emanuele.Gesuato at finantix.com>:
>
> > Hi Luis,
> >
> > thanks for your feedback.
> >
> > Is there any way to use some access token in order to identify the
> current
> > user ?
> >
> > let me recap.
> > I have a web application and a "desktop" application they are both
> > different but they share the same set of users and they are both in
the
> > same keycloak realm.
> > When user is logged to web application I would like to trigger some
> > authentication mechanism in order to let user automatically logged
when
> he
> > opens the desktop application.
> >
> > I am using keycloak 3.4.3 with tomcat7 adapter. Both the web
application
> > and the server side application of the "desktop" one uses tomcat7 as
> > servlet container (but they are different instances). Of course
keycloak
> > server is the same for both.
> >
> > I am not sure how a servlet filter can help me solve this issue ...
as
> I
> > am using the standard tomcat7 keycloak adapter.
> >
> > Thanks for any help,
> > Emanuele
> >
> >
> >
> >
> >
> > From: Luis Rodríguez Fernández <uo67113 at gmail.com>
> > To: Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> > Date: 06/04/2018 17:28
> > Subject: Re: [keycloak-user] SSO in web and desktop application
> >
> >
> >
> > Hello Emanuele,
> >
> > OK, I see. So if I understand correctly you have "converted" your
webapp
> > in a desktop application using something like this
> > https://applicationize.me/ in a dedicated browser with some
> restrictions.
> >
> > The problem here is that you are requesting the application from a
> > completely different client, it would be the same if you open an
> incognito
> > window in your browser after login in the siteA.
> >
> > I have done a quick test with one of our SAML applications and I am
> > redirected to the login page of our SSO. After authentication the app
> > works perfectly fine.
> >
> > Perhaps you could try to configure that dedicated browser to
> automatically
> > use the windows/kerberos credentials of the logged user...
> >
> > Cheers,
> >
> > Luis
> >
> > ps: the servlet filter can work in any servlet container. I am
> > successfully using it in tomcat 9 :)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > 2018-04-06 12:38 GMT+02:00 Emanuele Gesuato
> <Emanuele.Gesuato at finantix.com
> > >:
> > sorry for my email issue
> > *****************
> >
> > Hi there,
> >
> > client-server app is a browser application where we are using the
> > keycloak-saml tomcat7 adapter.
> >
> > Your link refers to a java servlet application that doesn’t have an
> > adapter for that servlet platform.
> >
> > Am I missing something in your answer ?
> >
> > thanks,
> >
> >
> > Emanuele Gesuato
> > Software specialist
> >
> >
> > Mobile: +39 335 757 3556 | Email: emanuele.gesuato at finantix.com |
skype:
> > emanuelegesuato_work
> >
> >
> > CONFIDENTIALITY NOTICE - The information contained in this
communication
> > is intended solely for the use of the individual or entity to whom it
is
> > addressed and others authorized to receive it. It may contain
> confidential
> > or legally privileged information. If you are not the intended
recipient
> > you are hereby notified that any disclosure, copying, distribution or
> > taking any action in reliance on the contents of this information is
> > strictly prohibited and may be unlawful. If you have received this
> > communication in error, please notify us immediately by responding to
> this
> > email and then delete it from your system. Finantix is neither liable
> for
> > the proper and complete transmission of the information contained in
> this
> > communication nor for any delay in its receipt.
> >
> >
> >
> >
> > From: Subodh Joshi <subodhcjoshi82 at gmail.com>
> > To: Emanuele Gesuato <Emanuele.Gesuato at finantix.com>
> > Cc: keycloak-user <keycloak-user at lists.jboss.org>
> > Date: 06/04/2018 12:11
> > Subject: Re: [keycloak-user] SSO in web and desktop application
> > Sent by: keycloak-user-bounces at lists.jboss.org
> >
> >
> >
> > Emanuele Gesuato Look like some issue with your email client/server.
> >
> > On Fri, Apr 6, 2018 at 3:21 PM, Emanuele Gesuato <
> > Emanuele.Gesuato at finantix.com> wrote:
> >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Subodh Chandra Joshi
> > subodh1_joshi82 at yahoo.co.in
> > http://www.trendsinnews.com
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > --
> > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail
> better."
> > - Samuel Beckett
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail
better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list