[keycloak-user] Authenticate user without using login page
Stian Thorgersen
stian at redhat.com
Wed Jul 30 09:48:45 EDT 2014
Yes, login_hint is one of the optional request parameters supported by OpenID Connect
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Wednesday, 30 July, 2014 2:38:32 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
>
> OpenID Connect protocol is used to implement this?
>
> On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> > Added login_hint query param. It can be used with keycloak.js with either:
> >
> > keycloak.login({ loginHint: 'username' })
> >
> > or
> >
> > keycloak.createLoginUrl({ loginHint: 'username' })
> >
> > ----- Original Message -----
> >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> >> Sent: Friday, 25 July, 2014 6:11:47 PM
> >> Subject: Re: [keycloak-user] Authenticate user without using login page
> >>
> >> It all worked great with the iframe, if I style it properly and use that
> >> login_hint it should be perfect.
> >>
> >> Now how should I go about developing/using this login_hint? Are there any
> >> tips on this, or is it something that you plan on including yourselves?
> >>
> >>
> >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
> >> wrote:
> >>
> >>> Just one more thing that wasn't completely clear to me.
> >>>
> >>> if I add a login page on an iframe, the user will be logged normally? Or
> >>> would I have to get a token and keep managing it?
> >>>
> >>>
> >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
> >>> <rodrigopsasaki at gmail.com
> >>>> wrote:
> >>>
> >>>> That idea actually sounds amazing, I didn't look into keycloak.js yet,
> >>>> but I'll see if I can get it working before I think about styling.
> >>>>
> >>>> Thank you very much!
> >>>>
> >>>>
> >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian at redhat.com>
> >>>> wrote:
> >>>>
> >>>>> I think we could quite easily add support for embedding the login page
> >>>>> to keycloak.js. Rough idea:
> >>>>>
> >>>>> 1. Set an option on keycloak.js to use embedded login form. Would also
> >>>>> require setting an id for a div where the form should be embedded.
> >>>>> 2. When clicking on login instead of redirecting it would render an
> >>>>> iframe element inside the configured div with the src of the iframe
> >>>>> being
> >>>>> the login page on Keycloak
> >>>>> 3. The redirect-uri would be a special url on Keycloak that renders a
> >>>>> similar page to the iframe session page that allows posting a message
> >>>>> back
> >>>>> to keycloak.js containing the code
> >>>>> 4. Now keycloak.js can swap the code as usual
> >>>>>
> >>>>> One thing is that we'd probably need an additional styling of the login
> >>>>> form, as you would want the login page to display differently when
> >>>>> embedded
> >>>>> compared to when you redirect to it.
> >>>>>
> >>>>> ----- Original Message -----
> >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> >>>>>> To: "Bill Burke" <bburke at redhat.com>
> >>>>>> Cc: keycloak-user at lists.jboss.org
> >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
> >>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
> >>>>>> page
> >>>>>>
> >>>>>> The cookies should be set fine, as the iframe would contain the login
> >>>>> page
> >>>>>> directly from Keycloak.
> >>>>>>
> >>>>>> It would redirect to a special page on the app that after extracting
> >>>>> the code
> >>>>>> would close the popup.
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki"
> >>>>>>> <rodrigopsasaki at gmail.com>
> >>>>>>> Cc: keycloak-user at lists.jboss.org
> >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
> >>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
> >>>>> page
> >>>>>>>
> >>>>>>> not sure this will work with SSO. I'm not sure CORS requests can
> >>>>> deal
> >>>>>>> with cookies.
> >>>>>>>
> >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> >>>>>>>> What about using an iframe in the popup to include the login form
> >>>>> from
> >>>>>>>> Keycloak?
> >>>>>>>>
> >>>>>>>> You can send a HTTP POST to
> >>>>> /auth-server/<realm>/tokens/grants/access
> >>>>>>>> with
> >>>>>>>> client id/secret and username/password and get a token back. With
> >>>>>>>> keycloak.js you can give it this token, not sure how/if this flow
> >>>>> works
> >>>>>>>> with the server-side (Undertow) adapter.
> >>>>>>>>
> >>>>>>>> ----- Original Message -----
> >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> >>>>> keycloak-user at lists.jboss.org
> >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
> >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> >>>>> login page
> >>>>>>>>>
> >>>>>>>>> Actually, the main problem is one of the flows where the password
> >>>>>>>>> request
> >>>>>>>>> appears in a popup, there's no redirect at all, and one of the
> >>>>> things
> >>>>>>>>> that
> >>>>>>>>> were agreed upon when decided to change the authentication
> >>>>> provider, was
> >>>>>>>>> that nothing would be altered in the user experience.
> >>>>>>>>>
> >>>>>>>>> So I really have to try and make keycloak "fit in" in these
> >>>>> particular
> >>>>>>>>> scenarios, they are not used as much as the ones where we'll use
> >>>>> the
> >>>>>>>>> keycloak login page with our own style, but I do have to make
> >>>>> them work.
> >>>>>>>>>
> >>>>>>>>> When you say I could use direct grant to get a token, would that
> >>>>> count
> >>>>>>>>> as
> >>>>>>>>> the same as an user logging in? It's not really clear to me right
> >>>>> now
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> >>>>> stian at redhat.com>
> >>>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>>> Yes, but I'm wondering why the following won't work:
> >>>>>>>>>>
> >>>>>>>>>> 1. Ask for users email (in your app, not KC)
> >>>>>>>>>> 2. Once you get to the flow where a user has to login:
> >>>>>>>>>> a) If user doesn't exist in KC (you can use admin endpoints
> >>>>> to
> >>>>>>>>>> check
> >>>>>>>>>> this) redirect to registration page on KC with email already
> >>>>> entered
> >>>>>>>>>> b) If user does exist in KC redirect to login page again
> >>>>> with email
> >>>>>>>>>> already entered
> >>>>>>>>>> 3. Redirect back to app
> >>>>>>>>>>
> >>>>>>>>>> ----- Original Message -----
> >>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> >>>>>>>>>> rodrigopsasaki at gmail.com>
> >>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> >>>>> login
> >>>>>>>>>>> page
> >>>>>>>>>>>
> >>>>>>>>>>> It is because their first login screen is just something asking
> >>>>> for an
> >>>>>>>>>>> email. If the email doesn't exist as a user, they want a
> >>>>> redirect to
> >>>>>>>>>>> the register page.
> >>>>>>>>>>>
> >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a token.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'd like to know why redirecting to the login form, when
> >>>>> styled to
> >>>>>>>>>> match
> >>>>>>>>>>>> your website, and using login_hint to pre-fill username/email
> >>>>> doesn't
> >>>>>>>>>>>> work. Maybe there's something we can do so that you can still
> >>>>> use the
> >>>>>>>>>>>> "proper" flow?
> >>>>>>>>>>>>
> >>>>>>>>>>>> ----- Original Message -----
> >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> >>>>> keycloak-user at lists.jboss.org
> >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
> >>>>> login
> >>>>>>>>>> page
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's being a huge
> >>>>>>>>>> showstopper
> >>>>>>>>>>>>> so
> >>>>>>>>>>>>> far, I just have to ask.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> If I don't mind trading off SSO and all the other benefits
> >>>>> that the
> >>>>>>>>>>>>> Keycloak login page provides me, would there be a way for me
> >>>>> to do
> >>>>>>>>>> what I
> >>>>>>>>>>>>> want?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> >>>>> stian at redhat.com>
> >>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>> We could add support for login_hint query param so you can
> >>>>> have the
> >>>>>>>>>>>>>> username/email field on the login form pre-filled for the
> >>>>> user, so
> >>>>>>>>>> once a
> >>>>>>>>>>>>>> user has to authenticate you redirect to login on KC and all
> >>>>> they
> >>>>>>>>>> would
> >>>>>>>>>>>>>> have to do is enter their password.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO, multi-factor
> >>>>>>>>>>>>>> support,
> >>>>>>>>>>>>>> required actions, recover password, etc, etc, etc..
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login forms that
> >>>>> can be
> >>>>>>>>>>>>>> templated using either just css or even FreeMarker templates
> >>>>> if you
> >>>>>>>>>> need
> >>>>>>>>>>>>>> a
> >>>>>>>>>>>>>> lot of customization, so you should be able to make the
> >>>>> login form
> >>>>>>>>>>>>>> integrate well with your website.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> ----- Original Message -----
> >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> >>>>>>>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> >>>>>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> >>>>> using login
> >>>>>>>>>> page
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> You think there could be a way to do this within keycloak
> >>>>> itself?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> >>>>>>>>>>>>>> rodrigopsasaki at gmail.com >
> >>>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I'll give you an example:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> We have a situation in our website where we only ask for the
> >>>>>>>>>>>>>>> user's
> >>>>>>>>>>>>>> e-mail,
> >>>>>>>>>>>>>>> and he can go on with the flow.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On a determined step of the flow, if we identify that this
> >>>>> is an
> >>>>>>>>>> e-mail
> >>>>>>>>>>>>>> that
> >>>>>>>>>>>>>>> we already have in our user database, we ask him for his
> >>>>> password,
> >>>>>>>>>>>>>>> authenticate him, and let him go on, if this e-mail is new,
> >>>>> we
> >>>>>>>>>> redirect
> >>>>>>>>>>>>>> him
> >>>>>>>>>>>>>>> to a page where he can register himself, and after that
> >>>>> continue
> >>>>>>>>>>>>>>> on.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On this specific case and others, we wouldn't like to have
> >>>>> to
> >>>>>>>>>> redirect
> >>>>>>>>>>>>>> him to
> >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow that we
> >>>>> designed.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> >>>>> bburke at redhat.com >
> >>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> If you have to do it this way, please let us know why.
> >>>>> Maybe we
> >>>>>>>>>>>>>>> can
> >>>>>>>>>>>>>> solve the
> >>>>>>>>>>>>>>> issue within keycloak itself.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want to handle
> >>>>> my own
> >>>>>>>>>> login
> >>>>>>>>>>>>>>> page, would there be a way for me to do it?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> >>>>>>>>>>>>>>> < rodrigopsasaki at gmail.com <mailto: rodrigopsasaki at gmail.
> >>>>> com >>
> >>>>>>>>>> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I don't want to miss out on all of that, which is why we're
> >>>>> mostly
> >>>>>>>>>>>>>>> migrating everything to use keycloak that way.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> It's just that we have cases that are so specific, that it
> >>>>> would
> >>>>>>>>>>>>>>> be
> >>>>>>>>>>>>>>> better to authenticate the user in a different manner,
> >>>>> create the
> >>>>>>>>>>>>>>> user session and everything, without redirecting.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> >>>>> bburke at redhat.com
> >>>>>>>>>>>>>>> <mailto: bburke at redhat.com >> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO, you are
> >>>>> missing
> >>>>>>>>>>>>>>> out on
> >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> * SSO
> >>>>>>>>>>>>>>> * forgot password
> >>>>>>>>>>>>>>> * admin forced credential reset/setup
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Login pages can be styled however you like to look like your
> >>>>>>>>>>>>>>> application.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> There is a REST api for obtaining an access token. Here is
> >>>>> an
> >>>>>>>>>>>>>>> example:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> https://github.com/keycloak/ keycloak/blob/master/examples/
> >>>>>>>>>>>>>>> demo-template/admin-access- app/src/main/java/org/
> >>>>>>>>>>>>>>> keycloak/example/AdminClient. java
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> >>>>>>>>>>>>>>>> Is there a way to authenticate the user without having to
> >>>>>>>>>>>>>>> input username
> >>>>>>>>>>>>>>>> and password on the login page?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> For example:
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Say there's a situation in my application where I request
> >>>>> the
> >>>>>>>>>>>>>>> user for
> >>>>>>>>>>>>>>>> his username and password, and I wouldn't like to redirect
> >>>>>>>>>>>>>>> that to the
> >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would there be a
> >>>>> way
> >>>>>>>>>>>>>>> for me to
> >>>>>>>>>>>>>>>> do that?
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> ______________________________ _________________
> >>>>>>>>>>>>>>>> keycloak-user mailing list
> >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>> Bill Burke
> >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> >>>>>>>>>>>>>>> http://bill.burkecentral.com
> >>>>>>>>>>>>>>> ______________________________ _________________
> >>>>>>>>>>>>>>> keycloak-user mailing list
> >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org <mailto: keycloak-user at lists.
> >>>>>>>>>> jboss.org >
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>> Bill Burke
> >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> >>>>>>>>>>>>>>> http://bill.burkecentral.com
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> --
> >>>>>>>>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>>>>> keycloak-user mailing list
> >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> >>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> --
> >>>>>>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> Bill Burke
> >>>>>>>>>>> JBoss, a division of Red Hat
> >>>>>>>>>>> http://bill.burkecentral.com
> >>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Rodrigo Sasaki
> >>>>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> Bill Burke
> >>>>>>> JBoss, a division of Red Hat
> >>>>>>> http://bill.burkecentral.com
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> keycloak-user mailing list
> >>>>>> keycloak-user at lists.jboss.org
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>>
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Rodrigo Sasaki
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Rodrigo Sasaki
> >>>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-user
mailing list