[keycloak-user] Authenticate user without using login page

Stian Thorgersen stian at redhat.com
Fri Jul 25 09:30:44 EDT 2014


The cookies should be set fine, as the iframe would contain the login page directly from Keycloak.

It would redirect to a special page on the app that after extracting the code would close the popup.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Friday, 25 July, 2014 2:23:14 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
> 
> not sure this will work with SSO.  I'm not sure CORS requests can deal
> with cookies.
> 
> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > What about using an iframe in the popup to include the login form from
> > Keycloak?
> >
> > You can send a HTTP POST to /auth-server/<realm>/tokens/grants/access with
> > client id/secret and username/password and get a token back. With
> > keycloak.js you can give it this token, not sure how/if this flow works
> > with the server-side (Undertow) adapter.
> >
> > ----- Original Message -----
> >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> >> Sent: Friday, 25 July, 2014 2:08:43 PM
> >> Subject: Re: [keycloak-user] Authenticate user without using login page
> >>
> >> Actually, the main problem is one of the flows where the password request
> >> appears in a popup, there's no redirect at all, and one of the things that
> >> were agreed upon when decided to change the authentication provider, was
> >> that nothing would be altered in the user experience.
> >>
> >> So I really have to try and make keycloak "fit in" in these particular
> >> scenarios, they are not used as much as the ones where we'll use the
> >> keycloak login page with our own style, but I do have to make them work.
> >>
> >> When you say I could use direct grant to get a token, would that count as
> >> the same as an user logging in? It's not really clear to me right now
> >>
> >>
> >> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <stian at redhat.com>
> >> wrote:
> >>
> >>> Yes, but I'm wondering why the following won't work:
> >>>
> >>> 1. Ask for users email (in your app, not KC)
> >>> 2. Once you get to the flow where a user has to login:
> >>>     a) If user doesn't exist in KC (you can use admin endpoints to check
> >>> this) redirect to registration page on KC with email already entered
> >>>     b) If user does exist in KC redirect to login page again with email
> >>> already entered
> >>> 3. Redirect back to app
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke at redhat.com>
> >>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> >>> rodrigopsasaki at gmail.com>
> >>>> Cc: keycloak-user at lists.jboss.org
> >>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> >>>> Subject: Re: [keycloak-user] Authenticate user without using login page
> >>>>
> >>>> It is because their first login screen is just something asking for an
> >>>> email.  If the email doesn't exist as a user, they want a redirect to
> >>>> the register page.
> >>>>
> >>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> >>>>> Yes, you can use the direct grant to retrieve a token.
> >>>>>
> >>>>> I'd like to know why redirecting to the login form, when styled to
> >>> match
> >>>>> your website, and using login_hint to pre-fill username/email doesn't
> >>>>> work. Maybe there's something we can do so that you can still use the
> >>>>> "proper" flow?
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> >>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> >>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
> >>> page
> >>>>>>
> >>>>>> Sorry to keep insisting on this, but since it's being a huge
> >>> showstopper
> >>>>>> so
> >>>>>> far, I just have to ask.
> >>>>>>
> >>>>>> If I don't mind trading off SSO and all the other benefits that the
> >>>>>> Keycloak login page provides me, would there be a way for me to do
> >>> what I
> >>>>>> want?
> >>>>>>
> >>>>>>
> >>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <stian at redhat.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> We could add support for login_hint query param so you can have the
> >>>>>>> username/email field on the login form pre-filled for the user, so
> >>> once a
> >>>>>>> user has to authenticate you redirect to login on KC and all they
> >>> would
> >>>>>>> have to do is enter their password.
> >>>>>>>
> >>>>>>> If you bypass the login forms you'd loose SSO, multi-factor support,
> >>>>>>> required actions, recover password, etc, etc, etc..
> >>>>>>>
> >>>>>>> As Bill mentioned we provide very flexible login forms that can be
> >>>>>>> templated using either just css or even FreeMarker templates if you
> >>> need
> >>>>>>> a
> >>>>>>> lot of customization, so you should be able to make the login form
> >>>>>>> integrate well with your website.
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> >>>>>>>> Cc: keycloak-user at lists.jboss.org
> >>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> >>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
> >>> page
> >>>>>>>>
> >>>>>>>> You think there could be a way to do this within keycloak itself?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> >>>>>>> rodrigopsasaki at gmail.com >
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> I'll give you an example:
> >>>>>>>>
> >>>>>>>> We have a situation in our website where we only ask for the user's
> >>>>>>> e-mail,
> >>>>>>>> and he can go on with the flow.
> >>>>>>>>
> >>>>>>>> On a determined step of the flow, if we identify that this is an
> >>> e-mail
> >>>>>>> that
> >>>>>>>> we already have in our user database, we ask him for his password,
> >>>>>>>> authenticate him, and let him go on, if this e-mail is new, we
> >>> redirect
> >>>>>>> him
> >>>>>>>> to a page where he can register himself, and after that continue on.
> >>>>>>>>
> >>>>>>>> On this specific case and others, we wouldn't like to have to
> >>> redirect
> >>>>>>> him to
> >>>>>>>> keycloak, because that would interrupt the flow that we designed.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke < bburke at redhat.com >
> >>> wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> >>>>>>>> userguide/html/direct-access- grants.html
> >>>>>>>>
> >>>>>>>> If you have to do it this way, please let us know why. Maybe we can
> >>>>>>> solve the
> >>>>>>>> issue within keycloak itself.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Just for the sake of conversation, if I did want to handle my own
> >>> login
> >>>>>>>> page, would there be a way for me to do it?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> >>>>>>>> < rodrigopsasaki at gmail.com <mailto: rodrigopsasaki at gmail. com >>
> >>> wrote:
> >>>>>>>>
> >>>>>>>> I don't want to miss out on all of that, which is why we're mostly
> >>>>>>>> migrating everything to use keycloak that way.
> >>>>>>>>
> >>>>>>>> It's just that we have cases that are so specific, that it would be
> >>>>>>>> better to authenticate the user in a different manner, create the
> >>>>>>>> user session and everything, without redirecting.
> >>>>>>>>
> >>>>>>>> I'll have a look at that code. Thanks!
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke < bburke at redhat.com
> >>>>>>>> <mailto: bburke at redhat.com >> wrote:
> >>>>>>>>
> >>>>>>>> If you want to handle your own login pages, IMO, you are missing
> >>>>>>>> out on
> >>>>>>>> a lot of Keycloak features. Specifically:
> >>>>>>>>
> >>>>>>>> * SSO
> >>>>>>>> * forgot password
> >>>>>>>> * admin forced credential reset/setup
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Login pages can be styled however you like to look like your
> >>>>>>>> application.
> >>>>>>>>
> >>>>>>>> There is a REST api for obtaining an access token. Here is an
> >>>>>>>> example:
> >>>>>>>>
> >>>>>>>> https://github.com/keycloak/ keycloak/blob/master/examples/
> >>>>>>>> demo-template/admin-access- app/src/main/java/org/
> >>>>>>>> keycloak/example/AdminClient. java
> >>>>>>>>
> >>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> >>>>>>>>> Is there a way to authenticate the user without having to
> >>>>>>>> input username
> >>>>>>>>> and password on the login page?
> >>>>>>>>>
> >>>>>>>>> For example:
> >>>>>>>>>
> >>>>>>>>> Say there's a situation in my application where I request the
> >>>>>>>> user for
> >>>>>>>>> his username and password, and I wouldn't like to redirect
> >>>>>>>> that to the
> >>>>>>>>> keycloak login page to authenticate him, would there be a way
> >>>>>>>> for me to
> >>>>>>>>> do that?
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> ______________________________ _________________
> >>>>>>>>> keycloak-user mailing list
> >>>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> >>>>>>>>
> >>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Bill Burke
> >>>>>>>> JBoss, a division of Red Hat
> >>>>>>>> http://bill.burkecentral.com
> >>>>>>>> ______________________________ _________________
> >>>>>>>> keycloak-user mailing list
> >>>>>>>> keycloak-user at lists.jboss.org <mailto: keycloak-user at lists.
> >>> jboss.org >
> >>>>>>>>
> >>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Rodrigo Sasaki
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Rodrigo Sasaki
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Bill Burke
> >>>>>>>> JBoss, a division of Red Hat
> >>>>>>>> http://bill.burkecentral.com
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Rodrigo Sasaki
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Rodrigo Sasaki
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> keycloak-user mailing list
> >>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Rodrigo Sasaki
> >>>>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>> http://bill.burkecentral.com
> >>>>
> >>>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-user mailing list