We are currently implementing keycloak and we are facing an issue that we are not sure what’s the best way to solve it.
We have different webapps making use of the sso and that’s working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
Initially this second webapp does not know which user is coming (and it’s not necessary to be logged in to make use of it). When clicking on “login”, it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens “transparently” to the user, since the redirection to keycloak is very fast and it’s not noticeable. This behaviour is not very user friendly.
The question is: Taking into account that this second webapp can’t know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
Thanks in advance!
In the mail listing from keycloak, they gave me a good solution but for version 4:
in admin console, go to Authentication
make a copy of Browser flow
in this new flow, disable or delete Cookie
go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save."
Use logout endpoint as a default login button action in your app and redirect uri param use for login page, where you use your specific client (of course you need proper URI encoding):
https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=https://auth-server/auth/realms/{realm-name}/protocol/openid-connect/auth?client_id=client_id&redirect_uri=.....&other_params....
=> user will be logged out and then it will be redirected to the login page
Related
I'd like to use Keycloak to have SSO between my websites and a chrome extension. I've already set up two websites that share the same session and only require the user to login once.
However, when I'm trying to add authentication to my extension using chrome.identity.launchWebAuthFlow(), it does not seem to check cookies for SSO and systematically prompts the user to login, even though I'm already logged in my other sites.
I've tried to do things "by hand" using chrome.windows.create(), and it does skip login credentials to redirect me directly if I'm already logged in from another site, so SSO seems to be working that way. Unfortunately I don't know how to catch the redirection event that occurs once login is complete and then go back to my extension, so I'm stuck on this lead as well.
Do you know if it's possible for the chrome.identity.launchWebFlow() method to check cookies and only prompt for login credentials when it detects no session cookies ?
I have a service with multiple domains.
And I want to implement Sso in this service.
I tried to implement it using keycloak
I want to create a new login page with react instead of the login page of Key Clock. And I am thinking of implementing a spring security server separately to add an email or sms 2factor function.
In order to do that, I think I should use keycloak rest api.
But the problem is that I don't know how the key clock login page authenticates the user.
Can I know the login flow of the key clock in detail?
For example, if I want to check if Service 1 is logged in, do I need to redirect to the login page of Key Clock to check the cookie or session ID of the login page?
So how do I know if I'm constantly logged in?
Keycloak already provides a way to edit Login flow. You can also add more fields etc. to the Login Form and add 2 factor authentication as well. The only thing is, you will have to use Freemarker for the same.
See, https://www.keycloak.org/docs/latest/server_development/#implementing-an-authenticator and https://www.keycloak.org/docs/latest/server_development/#_themes
Question
I am pretty sure my question is not directly related to IdentityServer’s features, but I hope you, guys, can give me an advice to help with next issue. In our environment, we have several web applications running on different domains/machines, which are using IdentityServer as an authentication authority. Everything is working just fine in terms of authentication and authorization and with SSO users can get access to all apps.
This is a problem:
User navigates for the first time on, let’s say, WebApp1 (http://domain1/WebApp1) which requires authentication – user automatically redirected to IdSrv login. Users enters credentials and then redirects back to WebApp1. Everything is working fine, base “.AspNet.Cookies” –cookie is created and user can navigate within WebApp1 resources without concerns. After wile users navigates to WebApp2 on the same domain (http://domain1/WebApp2). During navigation app makes roundtrip to IdSrv making sure that user is authenticated and returns to WebApp2 (no new login required) – this is ok. But then, if user wants to go back to WebApp1, the new roundtrip to IdSrv is occurred and that is what I want to avoid! And this happends each time user switches between apps.
Is there any way to prevent those IdSrv roundtrips on every navigation between multiple WebApplication on same/different domains? One workaround I found is to use different names for ASP.NET cookies for each applications, but this makes identity sign-out way more complicated.
Also got advice from #brockallen to use diffent cookie name for each separate webapp, but what about single sign out? Once logging out on WebApp1, WebApp2 still remains logged in until new roundtrip to IdScrv will ooccur or cookie exp
We have a project that uses IdentityServer4
https://github.com/IdentityServer/IdentityServer4
We have 3 domains: auth, admin and www
IdentityServer runs on auth and the other two are ‘clients’.
www uses the Hybrid flow (cookies)
admin uses the Implicit flow (it is a SPA, using oidc-client)
We have a single login page hosted on auth. When the user logs in they are taken to www. Some users are allowed to access admin and they will see a link in the navigation.
After you login, when you access the admin you can see the authentication happen automatically and return to the callback URL. This all works fine.
However if I logout from the admin I can still access the www, and vice versa. Ideally we would like the logout to log the user out of both clients at once.
Is this possible?
Note: I'm the front end developer on this project, so the guy who actually implemented it may provide additional details in comments below.
Yes this is possible.
The docs for idsrv4 are not done yet - but it works pretty much like this
https://identityserver.github.io/Documentation/docsv2/advanced/signout.html
This is an implementation of the signout spec for JS
https://openid.net/specs/openid-connect-session-1_0.html
..and for web apps
https://openid.net/specs/openid-connect-frontchannel-1_0.html
you need to read those documents to understand the mechanisms
i want an automaticalle login in my services when the user is already logged in into cas.
At the moment i must click the login button in every service manually to login.
My goal is when i'am logged in into cas and i join for example my jenkins service my user logged in automatically without clicking the log in button.
Can someone help me?
If you're using something like Spring Security or similar to manage it, then it can do it automatically for you. But since you seems to be making a Single Page Application(as you've said that you're needing a loggin button), and by going with that assuption, you'd need to have that login anyways. Except of course if you've set a script to check if there's a valid cookie already. More details appreciated(sorry, can't just comment)