[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keycloak-dev
Subject:    [keycloak-dev] KEYCLOAK-7409 Detect existing IdP session
From:       jack.coady () cantab ! net (Jack C)
Date:       2018-06-03 18:51:41
Message-ID: ebd68c7b-bde5-bbce-b771-74ef0dac1089 () cantab ! net
[Download RAW message or body]

I have a Keycloak realm that I'm using from my application via OpenID. 
Some users are already signed in to one of its' Identity Providers, but 
don't have a Keycloak session. I'd like to seamlessly sign them in to 
the application without going through a Keycloak login screen.

I think that a '&prompt=none&kc_idp_hint=idp'request from the 
application should pass you through to a '&prompt=none' request on the 
IdP. I've managed to build some of the code and I'm looking at changing 
e.g. AuthorizationEndpointBase 
<https://github.com/keycloak/keycloak/blob/f429469fc8b80425ac85b0f0562710c0309a86f8/se \
rvices/src/main/java/org/keycloak/protocol/AuthorizationEndpointBase.java#L117>to  \
allow that kind of "passive" redirect but not other challenges. Does  this sound like \
a good plan? I've never tried making this kind of change  before - any general \
advice? I've seen this  \
<https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md>  \
document.

My request on JIRA KEYCLOAK-7409 
<https://issues.jboss.org/browse/KEYCLOAK-7409>
Someone else's older request 
<http://lists.jboss.org/pipermail/keycloak-user/2017-August/011666.html> 
mentioning this strategy


[prev in list] [next in list] [prev in thread] [next in thread]