Login page URL for a public instance

Hi everyone!

I’m discovering Keycloak and I have some pretty basic questions (I tried to get answers by Googling, but it’s not unclear to me).

  1. I’d like to have an URL for login on a specific Realm. For example, https://sso.example.org/auth/realms/myrealm/account → this URL is showing me the default “Welcome to Keycloak Account Management”, with a sign in button on the top right. I’d prefer to get directly the Login form. Is that possible? Or it’s up to my 3rd party app to send to that login form directly? I’m pretty noob on identity management, but I imagined it was a login page you go once and then you can access all your SSO enabled services without login again.
  2. What do you expose externally if you want your SSO to be publicly available? Is it possible to avoid getting your master realm visible at all at some point? I’m not sure about the potential security risk to expose that. In my context, the SSO will be for our customers (with a dedicated realm), so it must be accessible from everywhere. Right now, it’s at least behind nginx for HTTPS.

Regarding #1, you can create the login URL using the Javascript adapter method createLoginUrl, or just have it redirect to the login page for you using the
login method.

I’m not sure I understand #2. Assuming your Keycloak instance is available on the internet, you can decide how you want to use it (e.g. OIDC, SAML), and then create Clients so that your customers can use you as an IdP.

  1. I’m not sure to get it. To be sure we are talking about the same thing: If I go to https://sso.redhat.com I’m redirected directly to the login form. Now if I go on my freshly installed Keycloak installation, I’m redirected on a “Welcome to Keycloak” webpage with a link to the Administration console. The link on RedHat is directly giving you the right login form on the right realms (“redhat-external”, I suppose they got a dedicated URL for their internal SSO). How can I achieve the same thing in my own installation?
  2. Finally part 2 is a consequence of question 1. If I can redirect a similar URL like RedHat one on the login form for the “external realm”, I’ll be happy :slight_smile: (and so I could create a virtual host like internal-sso.mycompany.com redirecting to our internal Realm)

@olivierlambert I think the login page is always shown to login to something you need credentials for. So it’s always a redirect to the login page. When you are already logged in you don’t get redirected. Your sso.redhat.com example is really a link to the account console. Locally you can do that as well: http://localhost:8080/auth/realms/master/account/#/

Sadly it’s not the case, If I use this URL, I’m going to the account page without the logging console, with a signin button on the top right.

@olivierlambert
There is no “public login page” like many would like to have…

OIDC ist about client initiated authentication.
So, only when the user requests a secured resoure, the client redirects the user to the auth server to initiate an authentication. After that, the user is being redirected back to the application.
A user always authenticates at a realm, never for a distinct client only!

Your example with sso.redhat.com:

  • the root URL points to a client URL
  • the client URL is a protected/secured resource and redirects the user to the login screen of the auth server
  • the root URL sso.redhat.com is not linked directly to any login page

The “old” account client in Keycloak was completely secured, thus the user was directly redirected to the login screen.
The “new” account console has a “public” startpage and doesn’t require to be authenticated from the start. Thus the “login” button in the top left.
If you append a /personal-info to the account URL, you will be directly redirected to the login screen, b/c /personal-info is a protected resource.

1 Like

Ah thanks it’s more logical to me now :slight_smile:

Can I also modify Nginx to do a HTTP redirect to the login form related to my specific application? or is the URL got a specific params that needs to be generated?

I’d suggest to configure a redirect in Nginx to a protected resource/page at your application and let the applications OIDC/keycloak adapter do the redirect to the auth server (Keycloak). That would be the best approach to follow all the concepts.

Hi!

I personally plan to expose:

  • /auth/resources/… - can be cached
    • maybe exclude /auth/resources/…/admin but thats just the admin theme, not super secret
  • /auth/js/… - I guess that can be cached, too, but not that sure
  • /auth/realms/{publicRealm}/… - not cached!
  • /robots.txt - or I put a custom robots.txt in that place

Best Regards!
Thomas