Redirect Users to login via Keycloak web on android app instead of sending username and password to keyloack via API #3263
SebaMutuku
started this conversation in
Ideas
Replies: 2 comments 1 reply
-
@SebaMutuku Please read this too #1887 |
Beta Was this translation helpful? Give feedback.
0 replies
-
@dubdabasoduba Thanks for this. I also think this lib supports PCE extension. Feel free to check the readme section. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Currently, we login through the app by sending user credentials and secret through an API for keycloak to authenticate. Currently these values are not encrypted and hence poses a security threat in case a user managed to access the device's data. See fetchAccessToken
A library called OpenID/Oauth can bypass this by redirecting to keycloak webpage where users can authenticate directly on keycloak and a token is returned upon successful login. This would improve the security of our application since the credentials are directly entered on keycloak page. The redirection will happen on the android app.
The library follows the best practices set out in RFC 8252 - OAuth 2.0 for Native Apps, including using Custom Tabs for authorization requests.
Implementation guidelines have been explained on the library's github repository.
Beta Was this translation helpful? Give feedback.
All reactions