[keycloak-user] Authenticate user without using login page

Bill Burke bburke at redhat.com
Fri Jul 25 09:23:14 EDT 2014 

not sure this will work with SSO.  I'm not sure CORS requests can deal 
with cookies.

On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> What about using an iframe in the popup to include the login form from Keycloak?
>
> You can send a HTTP POST to /auth-server/<realm>/tokens/grants/access with client id/secret and username/password and get a token back. With keycloak.js you can give it this token, not sure how/if this flow works with the server-side (Undertow) adapter.
>
> ----- Original Message -----
>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>> Sent: Friday, 25 July, 2014 2:08:43 PM
>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>
>> Actually, the main problem is one of the flows where the password request
>> appears in a popup, there's no redirect at all, and one of the things that
>> were agreed upon when decided to change the authentication provider, was
>> that nothing would be altered in the user experience.
>>
>> So I really have to try and make keycloak "fit in" in these particular
>> scenarios, they are not used as much as the ones where we'll use the
>> keycloak login page with our own style, but I do have to make them work.
>>
>> When you say I could use direct grant to get a token, would that count as
>> the same as an user logging in? It's not really clear to me right now
>>
>>
>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <stian at redhat.com> wrote:
>>
>>> Yes, but I'm wondering why the following won't work:
>>>
>>> 1. Ask for users email (in your app, not KC)
>>> 2. Once you get to the flow where a user has to login:
>>>     a) If user doesn't exist in KC (you can use admin endpoints to check
>>> this) redirect to registration page on KC with email already entered
>>>     b) If user does exist in KC redirect to login page again with email
>>> already entered
>>> 3. Redirect back to app
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
>>> rodrigopsasaki at gmail.com>
>>>> Cc: keycloak-user at lists.jboss.org
>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
>>>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>>>
>>>> It is because their first login screen is just something asking for an
>>>> email.  If the email doesn't exist as a user, they want a redirect to
>>>> the register page.
>>>>
>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
>>>>> Yes, you can use the direct grant to retrieve a token.
>>>>>
>>>>> I'd like to know why redirecting to the login form, when styled to
>>> match
>>>>> your website, and using login_hint to pre-fill username/email doesn't
>>>>> work. Maybe there's something we can do so that you can still use the
>>>>> "proper" flow?
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
>>> page
>>>>>>
>>>>>> Sorry to keep insisting on this, but since it's being a huge
>>> showstopper
>>>>>> so
>>>>>> far, I just have to ask.
>>>>>>
>>>>>> If I don't mind trading off SSO and all the other benefits that the
>>>>>> Keycloak login page provides me, would there be a way for me to do
>>> what I
>>>>>> want?
>>>>>>
>>>>>>
>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <stian at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> We could add support for login_hint query param so you can have the
>>>>>>> username/email field on the login form pre-filled for the user, so
>>> once a
>>>>>>> user has to authenticate you redirect to login on KC and all they
>>> would
>>>>>>> have to do is enter their password.
>>>>>>>
>>>>>>> If you bypass the login forms you'd loose SSO, multi-factor support,
>>>>>>> required actions, recover password, etc, etc, etc..
>>>>>>>
>>>>>>> As Bill mentioned we provide very flexible login forms that can be
>>>>>>> templated using either just css or even FreeMarker templates if you
>>> need
>>>>>>> a
>>>>>>> lot of customization, so you should be able to make the login form
>>>>>>> integrate well with your website.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
>>>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
>>> page
>>>>>>>>
>>>>>>>> You think there could be a way to do this within keycloak itself?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
>>>>>>> rodrigopsasaki at gmail.com >
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I'll give you an example:
>>>>>>>>
>>>>>>>> We have a situation in our website where we only ask for the user's
>>>>>>> e-mail,
>>>>>>>> and he can go on with the flow.
>>>>>>>>
>>>>>>>> On a determined step of the flow, if we identify that this is an
>>> e-mail
>>>>>>> that
>>>>>>>> we already have in our user database, we ask him for his password,
>>>>>>>> authenticate him, and let him go on, if this e-mail is new, we
>>> redirect
>>>>>>> him
>>>>>>>> to a page where he can register himself, and after that continue on.
>>>>>>>>
>>>>>>>> On this specific case and others, we wouldn't like to have to
>>> redirect
>>>>>>> him to
>>>>>>>> keycloak, because that would interrupt the flow that we designed.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke < bburke at redhat.com >
>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
>>>>>>>> userguide/html/direct-access- grants.html
>>>>>>>>
>>>>>>>> If you have to do it this way, please let us know why. Maybe we can
>>>>>>> solve the
>>>>>>>> issue within keycloak itself.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Just for the sake of conversation, if I did want to handle my own
>>> login
>>>>>>>> page, would there be a way for me to do it?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
>>>>>>>> < rodrigopsasaki at gmail.com <mailto: rodrigopsasaki at gmail. com >>
>>> wrote:
>>>>>>>>
>>>>>>>> I don't want to miss out on all of that, which is why we're mostly
>>>>>>>> migrating everything to use keycloak that way.
>>>>>>>>
>>>>>>>> It's just that we have cases that are so specific, that it would be
>>>>>>>> better to authenticate the user in a different manner, create the
>>>>>>>> user session and everything, without redirecting.
>>>>>>>>
>>>>>>>> I'll have a look at that code. Thanks!
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke < bburke at redhat.com
>>>>>>>> <mailto: bburke at redhat.com >> wrote:
>>>>>>>>
>>>>>>>> If you want to handle your own login pages, IMO, you are missing
>>>>>>>> out on
>>>>>>>> a lot of Keycloak features. Specifically:
>>>>>>>>
>>>>>>>> * SSO
>>>>>>>> * forgot password
>>>>>>>> * admin forced credential reset/setup
>>>>>>>>
>>>>>>>>
>>>>>>>> Login pages can be styled however you like to look like your
>>>>>>>> application.
>>>>>>>>
>>>>>>>> There is a REST api for obtaining an access token. Here is an
>>>>>>>> example:
>>>>>>>>
>>>>>>>> https://github.com/keycloak/ keycloak/blob/master/examples/
>>>>>>>> demo-template/admin-access- app/src/main/java/org/
>>>>>>>> keycloak/example/AdminClient. java
>>>>>>>>
>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
>>>>>>>>> Is there a way to authenticate the user without having to
>>>>>>>> input username
>>>>>>>>> and password on the login page?
>>>>>>>>>
>>>>>>>>> For example:
>>>>>>>>>
>>>>>>>>> Say there's a situation in my application where I request the
>>>>>>>> user for
>>>>>>>>> his username and password, and I wouldn't like to redirect
>>>>>>>> that to the
>>>>>>>>> keycloak login page to authenticate him, would there be a way
>>>>>>>> for me to
>>>>>>>>> do that?
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ______________________________ _________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
>>>>>>>>
>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hat
>>>>>>>> http://bill.burkecentral.com
>>>>>>>> ______________________________ _________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org <mailto: keycloak-user at lists.
>>> jboss.org >
>>>>>>>>
>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Rodrigo Sasaki
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Rodrigo Sasaki
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hat
>>>>>>>> http://bill.burkecentral.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Rodrigo Sasaki
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Rodrigo Sasaki
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Rodrigo Sasaki
>>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>>
>>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list