[keycloak-user] Authenticate user without using login page

Bill Burke bburke at redhat.com
Fri Jul 25 09:08:21 EDT 2014 

Another workaround would to be just have the regular keycloak login page 
and add a "registration" link to teh template that points back to their 
application.  I just think it would be simpler for them than doing what 
you suggest.

On 7/25/2014 8:56 AM, Stian Thorgersen wrote:
> Yes, but I'm wondering why the following won't work:
>
> 1. Ask for users email (in your app, not KC)
> 2. Once you get to the flow where a user has to login:
>     a) If user doesn't exist in KC (you can use admin endpoints to check this) redirect to registration page on KC with email already entered
>     b) If user does exist in KC redirect to login page again with email already entered
> 3. Redirect back to app
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> Cc: keycloak-user at lists.jboss.org
>> Sent: Friday, 25 July, 2014 1:48:45 PM
>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>
>> It is because their first login screen is just something asking for an
>> email.  If the email doesn't exist as a user, they want a redirect to
>> the register page.
>>
>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
>>> Yes, you can use the direct grant to retrieve a token.
>>>
>>> I'd like to know why redirecting to the login form, when styled to match
>>> your website, and using login_hint to pre-fill username/email doesn't
>>> work. Maybe there's something we can do so that you can still use the
>>> "proper" flow?
>>>
>>> ----- Original Message -----
>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
>>>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>>>
>>>> Sorry to keep insisting on this, but since it's being a huge showstopper
>>>> so
>>>> far, I just have to ask.
>>>>
>>>> If I don't mind trading off SSO and all the other benefits that the
>>>> Keycloak login page provides me, would there be a way for me to do what I
>>>> want?
>>>>
>>>>
>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <stian at redhat.com>
>>>> wrote:
>>>>
>>>>> We could add support for login_hint query param so you can have the
>>>>> username/email field on the login form pre-filled for the user, so once a
>>>>> user has to authenticate you redirect to login on KC and all they would
>>>>> have to do is enter their password.
>>>>>
>>>>> If you bypass the login forms you'd loose SSO, multi-factor support,
>>>>> required actions, recover password, etc, etc, etc..
>>>>>
>>>>> As Bill mentioned we provide very flexible login forms that can be
>>>>> templated using either just css or even FreeMarker templates if you need
>>>>> a
>>>>> lot of customization, so you should be able to make the login form
>>>>> integrate well with your website.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>>>>> To: "Bill Burke" <bburke at redhat.com>
>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>>>>>
>>>>>> You think there could be a way to do this within keycloak itself?
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
>>>>> rodrigopsasaki at gmail.com >
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> I'll give you an example:
>>>>>>
>>>>>> We have a situation in our website where we only ask for the user's
>>>>> e-mail,
>>>>>> and he can go on with the flow.
>>>>>>
>>>>>> On a determined step of the flow, if we identify that this is an e-mail
>>>>> that
>>>>>> we already have in our user database, we ask him for his password,
>>>>>> authenticate him, and let him go on, if this e-mail is new, we redirect
>>>>> him
>>>>>> to a page where he can register himself, and after that continue on.
>>>>>>
>>>>>> On this specific case and others, we wouldn't like to have to redirect
>>>>> him to
>>>>>> keycloak, because that would interrupt the flow that we designed.
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke < bburke at redhat.com > wrote:
>>>>>>
>>>>>>
>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
>>>>>> userguide/html/direct-access- grants.html
>>>>>>
>>>>>> If you have to do it this way, please let us know why. Maybe we can
>>>>> solve the
>>>>>> issue within keycloak itself.
>>>>>>
>>>>>>
>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Just for the sake of conversation, if I did want to handle my own login
>>>>>> page, would there be a way for me to do it?
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
>>>>>> < rodrigopsasaki at gmail.com <mailto: rodrigopsasaki at gmail. com >> wrote:
>>>>>>
>>>>>> I don't want to miss out on all of that, which is why we're mostly
>>>>>> migrating everything to use keycloak that way.
>>>>>>
>>>>>> It's just that we have cases that are so specific, that it would be
>>>>>> better to authenticate the user in a different manner, create the
>>>>>> user session and everything, without redirecting.
>>>>>>
>>>>>> I'll have a look at that code. Thanks!
>>>>>>
>>>>>>
>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke < bburke at redhat.com
>>>>>> <mailto: bburke at redhat.com >> wrote:
>>>>>>
>>>>>> If you want to handle your own login pages, IMO, you are missing
>>>>>> out on
>>>>>> a lot of Keycloak features. Specifically:
>>>>>>
>>>>>> * SSO
>>>>>> * forgot password
>>>>>> * admin forced credential reset/setup
>>>>>>
>>>>>>
>>>>>> Login pages can be styled however you like to look like your
>>>>>> application.
>>>>>>
>>>>>> There is a REST api for obtaining an access token. Here is an
>>>>>> example:
>>>>>>
>>>>>> https://github.com/keycloak/ keycloak/blob/master/examples/
>>>>>> demo-template/admin-access- app/src/main/java/org/
>>>>>> keycloak/example/AdminClient. java
>>>>>>
>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
>>>>>>> Is there a way to authenticate the user without having to
>>>>>> input username
>>>>>>> and password on the login page?
>>>>>>>
>>>>>>> For example:
>>>>>>>
>>>>>>> Say there's a situation in my application where I request the
>>>>>> user for
>>>>>>> his username and password, and I wouldn't like to redirect
>>>>>> that to the
>>>>>>> keycloak login page to authenticate him, would there be a way
>>>>>> for me to
>>>>>>> do that?
>>>>>>>
>>>>>>> --
>>>>>>> Rodrigo Sasaki
>>>>>>>
>>>>>>>
>>>>>>> ______________________________ _________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>> <mailto: keycloak-user at lists. jboss.org >
>>>>>>
>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>> ______________________________ _________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org <mailto: keycloak-user at lists. jboss.org >
>>>>>>
>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Rodrigo Sasaki
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Rodrigo Sasaki
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>> http://bill.burkecentral.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Rodrigo Sasaki
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Rodrigo Sasaki
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Rodrigo Sasaki
>>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list