[keycloak-user] Authenticate user without using login page
Stian Thorgersen
stian at redhat.com
Fri Jul 25 09:21:08 EDT 2014
What about using an iframe in the popup to include the login form from Keycloak?
You can send a HTTP POST to /auth-server/<realm>/tokens/grants/access with client id/secret and username/password and get a token back. With keycloak.js you can give it this token, not sure how/if this flow works with the server-side (Undertow) adapter.
----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 25 July, 2014 2:08:43 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
>
> Actually, the main problem is one of the flows where the password request
> appears in a popup, there's no redirect at all, and one of the things that
> were agreed upon when decided to change the authentication provider, was
> that nothing would be altered in the user experience.
>
> So I really have to try and make keycloak "fit in" in these particular
> scenarios, they are not used as much as the ones where we'll use the
> keycloak login page with our own style, but I do have to make them work.
>
> When you say I could use direct grant to get a token, would that count as
> the same as an user logging in? It's not really clear to me right now
>
>
> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <stian at redhat.com> wrote:
>
> > Yes, but I'm wondering why the following won't work:
> >
> > 1. Ask for users email (in your app, not KC)
> > 2. Once you get to the flow where a user has to login:
> > a) If user doesn't exist in KC (you can use admin endpoints to check
> > this) redirect to registration page on KC with email already entered
> > b) If user does exist in KC redirect to login page again with email
> > already entered
> > 3. Redirect back to app
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke at redhat.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> > rodrigopsasaki at gmail.com>
> > > Cc: keycloak-user at lists.jboss.org
> > > Sent: Friday, 25 July, 2014 1:48:45 PM
> > > Subject: Re: [keycloak-user] Authenticate user without using login page
> > >
> > > It is because their first login screen is just something asking for an
> > > email. If the email doesn't exist as a user, they want a redirect to
> > > the register page.
> > >
> > > On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > > > Yes, you can use the direct grant to retrieve a token.
> > > >
> > > > I'd like to know why redirecting to the login form, when styled to
> > match
> > > > your website, and using login_hint to pre-fill username/email doesn't
> > > > work. Maybe there's something we can do so that you can still use the
> > > > "proper" flow?
> > > >
> > > > ----- Original Message -----
> > > >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > > >> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > >> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > > >> Subject: Re: [keycloak-user] Authenticate user without using login
> > page
> > > >>
> > > >> Sorry to keep insisting on this, but since it's being a huge
> > showstopper
> > > >> so
> > > >> far, I just have to ask.
> > > >>
> > > >> If I don't mind trading off SSO and all the other benefits that the
> > > >> Keycloak login page provides me, would there be a way for me to do
> > what I
> > > >> want?
> > > >>
> > > >>
> > > >> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <stian at redhat.com>
> > > >> wrote:
> > > >>
> > > >>> We could add support for login_hint query param so you can have the
> > > >>> username/email field on the login form pre-filled for the user, so
> > once a
> > > >>> user has to authenticate you redirect to login on KC and all they
> > would
> > > >>> have to do is enter their password.
> > > >>>
> > > >>> If you bypass the login forms you'd loose SSO, multi-factor support,
> > > >>> required actions, recover password, etc, etc, etc..
> > > >>>
> > > >>> As Bill mentioned we provide very flexible login forms that can be
> > > >>> templated using either just css or even FreeMarker templates if you
> > need
> > > >>> a
> > > >>> lot of customization, so you should be able to make the login form
> > > >>> integrate well with your website.
> > > >>>
> > > >>> ----- Original Message -----
> > > >>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > >>>> To: "Bill Burke" <bburke at redhat.com>
> > > >>>> Cc: keycloak-user at lists.jboss.org
> > > >>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > > >>>> Subject: Re: [keycloak-user] Authenticate user without using login
> > page
> > > >>>>
> > > >>>> You think there could be a way to do this within keycloak itself?
> > > >>>>
> > > >>>>
> > > >>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > > >>> rodrigopsasaki at gmail.com >
> > > >>>> wrote:
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> I'll give you an example:
> > > >>>>
> > > >>>> We have a situation in our website where we only ask for the user's
> > > >>> e-mail,
> > > >>>> and he can go on with the flow.
> > > >>>>
> > > >>>> On a determined step of the flow, if we identify that this is an
> > e-mail
> > > >>> that
> > > >>>> we already have in our user database, we ask him for his password,
> > > >>>> authenticate him, and let him go on, if this e-mail is new, we
> > redirect
> > > >>> him
> > > >>>> to a page where he can register himself, and after that continue on.
> > > >>>>
> > > >>>> On this specific case and others, we wouldn't like to have to
> > redirect
> > > >>> him to
> > > >>>> keycloak, because that would interrupt the flow that we designed.
> > > >>>>
> > > >>>>
> > > >>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke < bburke at redhat.com >
> > wrote:
> > > >>>>
> > > >>>>
> > > >>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > > >>>> userguide/html/direct-access- grants.html
> > > >>>>
> > > >>>> If you have to do it this way, please let us know why. Maybe we can
> > > >>> solve the
> > > >>>> issue within keycloak itself.
> > > >>>>
> > > >>>>
> > > >>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> Just for the sake of conversation, if I did want to handle my own
> > login
> > > >>>> page, would there be a way for me to do it?
> > > >>>>
> > > >>>>
> > > >>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > > >>>> < rodrigopsasaki at gmail.com <mailto: rodrigopsasaki at gmail. com >>
> > wrote:
> > > >>>>
> > > >>>> I don't want to miss out on all of that, which is why we're mostly
> > > >>>> migrating everything to use keycloak that way.
> > > >>>>
> > > >>>> It's just that we have cases that are so specific, that it would be
> > > >>>> better to authenticate the user in a different manner, create the
> > > >>>> user session and everything, without redirecting.
> > > >>>>
> > > >>>> I'll have a look at that code. Thanks!
> > > >>>>
> > > >>>>
> > > >>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke < bburke at redhat.com
> > > >>>> <mailto: bburke at redhat.com >> wrote:
> > > >>>>
> > > >>>> If you want to handle your own login pages, IMO, you are missing
> > > >>>> out on
> > > >>>> a lot of Keycloak features. Specifically:
> > > >>>>
> > > >>>> * SSO
> > > >>>> * forgot password
> > > >>>> * admin forced credential reset/setup
> > > >>>>
> > > >>>>
> > > >>>> Login pages can be styled however you like to look like your
> > > >>>> application.
> > > >>>>
> > > >>>> There is a REST api for obtaining an access token. Here is an
> > > >>>> example:
> > > >>>>
> > > >>>> https://github.com/keycloak/ keycloak/blob/master/examples/
> > > >>>> demo-template/admin-access- app/src/main/java/org/
> > > >>>> keycloak/example/AdminClient. java
> > > >>>>
> > > >>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > > >>>>> Is there a way to authenticate the user without having to
> > > >>>> input username
> > > >>>>> and password on the login page?
> > > >>>>>
> > > >>>>> For example:
> > > >>>>>
> > > >>>>> Say there's a situation in my application where I request the
> > > >>>> user for
> > > >>>>> his username and password, and I wouldn't like to redirect
> > > >>>> that to the
> > > >>>>> keycloak login page to authenticate him, would there be a way
> > > >>>> for me to
> > > >>>>> do that?
> > > >>>>>
> > > >>>>> --
> > > >>>>> Rodrigo Sasaki
> > > >>>>>
> > > >>>>>
> > > >>>>> ______________________________ _________________
> > > >>>>> keycloak-user mailing list
> > > >>>>> keycloak-user at lists.jboss.org
> > > >>>> <mailto: keycloak-user at lists. jboss.org >
> > > >>>>
> > > >>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> > > >>>>>
> > > >>>>
> > > >>>> --
> > > >>>> Bill Burke
> > > >>>> JBoss, a division of Red Hat
> > > >>>> http://bill.burkecentral.com
> > > >>>> ______________________________ _________________
> > > >>>> keycloak-user mailing list
> > > >>>> keycloak-user at lists.jboss.org <mailto: keycloak-user at lists.
> > jboss.org >
> > > >>>>
> > > >>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Rodrigo Sasaki
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Rodrigo Sasaki
> > > >>>>
> > > >>>> --
> > > >>>> Bill Burke
> > > >>>> JBoss, a division of Red Hat
> > > >>>> http://bill.burkecentral.com
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Rodrigo Sasaki
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> --
> > > >>>> Rodrigo Sasaki
> > > >>>>
> > > >>>> _______________________________________________
> > > >>>> keycloak-user mailing list
> > > >>>> keycloak-user at lists.jboss.org
> > > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >>>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Rodrigo Sasaki
> > > >>
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > > http://bill.burkecentral.com
> > >
> >
>
>
>
> --
> Rodrigo Sasaki
>
More information about the keycloak-user
mailing list