Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sample keycloak integration #506

Open
kstan79 opened this issue Jun 22, 2024 · 8 comments
Open

sample keycloak integration #506

kstan79 opened this issue Jun 22, 2024 · 8 comments

Comments

@kstan79
Copy link

kstan79 commented Jun 22, 2024

i think the provided example very bad for keycloak user, so I contribute some example of setting for others people to refer, I hope you guys can prepare better sample for community.

final String _clientId = 'keycloak-client-id';
  final String _redirectUrl = 'com.domain.appname:/oauthredirect';
  final String _issuer = 'https://login.your.url/realms/yourrealm';  // you may put `auth` behind hostname if your keycloak very old
  final String _discoveryUrl =
      'https://login.your.url/realms/yourrelam/.well-known/openid-configuration';
  final String _postLogoutRedirectUrl = 'com.domain.yourapp:/';

...
authorizationEndpoint:
        'https://login.your.url/realms/yourrealm/protocol/openid-connect/auth',
    tokenEndpoint:
        'https://login.your.url/realms/yourrealm/protocol/openid-connect/token',
    endSessionEndpoint:
        'https://login.your.url/realms/yourrealm/protocol/openid-connect/logout',
.....


final AuthorizationTokenResponse? result =
          await _appAuth.authorizeAndExchangeCode(
        AuthorizationTokenRequest(
          _clientId, _redirectUrl,
          serviceConfiguration: _serviceConfiguration,
          scopes: _scopes,
          preferEphemeralSession: preferEphemeralSession,
          clientSecret: '_your_client_secret_obtain_from_somewhere'  //original example not include this properties cause authorization never success
        ),
      );
@zynzszyn521
Copy link

Hello, I'm encountering an issue with Keycloak where I cannot log out. Could you please help guide me through this?
Flutter endSession code:
final String _postLogoutRedirectUrl = 'com.domain.yourapp:/'
Keycloak client config:
Valid post logout redirect URIs:com.domain.yourapp:/
But when call endSession ,show:
Invalid redirect uri

@kstan79
Copy link
Author

kstan79 commented Jul 19, 2024

hi, after long research. I notice that the proper implementation of keycloak in flutter is:

  1. create loginform.dart in flutter
  2. perform server side authentication (no store client secret in flutter app) at backend
  3. store refresh token and access token at client side.
  4. before any api request, verify refresh token expiry, if near expire then obtain new access token with refresh token via backend
  5. both token and expried time can store in flutter using securestorage library.

For security reason, we dont want store client secret in mobile app thats why:

  1. flutter side no perform any api with keycloak, it authenticate via backend server
  2. backend will handle all keycloak manners.

@zynzszyn521
Copy link

Thank you for your reply。
My Fluttter app login no issue ,but when i click logout button and goto auth web page ,it show errr。

await appAuth.endSession(EndSessionRequest(
          idTokenHint: '<idToken>',
          postLogoutRedirectUrl: '<postLogoutRedirectUrl>',
          serviceConfiguration: AuthorizationServiceConfiguration(authorizationEndpoint: '<authorization_endpoint>',  tokenEndpooint: '<token_endpoint>', endSessionEndpoint: '<end_session_endpoint>'));

I confirm the authorization_endpoint\token_endpoint\end_session_endpoint config is correct ,but I am not sure postLogoutRedirectUrl how to set , i give _postLogoutRedirectUrl = 'com.domain.yourapp:/' and keycloak client setting page is " Valid post logout redirect URIs:com.domain.yourapp:/ " ,

image

cec7922d674f1fc765aa547e60fb0ba

@kstan79
Copy link
Author

kstan79 commented Jul 19, 2024

As I mentioned, no matter login, refresh, or logout all shall implement at server side cause keep secret in mobile app is bad. When you need to revoke your secret you will have to republish your app and request all user update app. At the time your app malfunction and will be your nightmare.

Anyhow, you can simply delete your token without run logout isn't it?

@zynzszyn521
Copy link

Sorry, I need to ask one more question.
I use nginx for keycloak server ,For security reasons, I have set up CSP
add_header Content-Security-Policy "form-action 'self' https://fuse.XXX.com;";
However, when I log in, it shows an error.
auth:1 Refused to send form data to 'https://fuse.XXX.com/auth/realms/master/login-actions/authenticate?session_code=eElrml7zOz7QJFTqkhpVaO9l3IIYVVxsLQrefutzHVU&execution=a5833fb9-308a-4f1b-a12b-12b84594547d&client_id=fuse.mobile.client&tab_id=S-011gIiFqI' because it violates the following Content Security Policy directive: "form-action 'self' https://fuse.XXX.com".
From the error message, the accessed address and the CSP-configured address are the same. Why is there still an error?

@kstan79
Copy link
Author

kstan79 commented Aug 6, 2024

i not so sure what cause that, maybe 'com.domain.yourapp:/'?

@zynzszyn521
Copy link

you means add 'com.domain.yourapp:/' to CSP config?

@akoyl
Copy link

akoyl commented Sep 11, 2024

Can someone provide a simple but complete example for login and sign-in from a mobile app to keycloack?
Thanks in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@akoyl @kstan79 @zynzszyn521