[keycloak-user] Authenticate user without using login page

Stian Thorgersen stian at redhat.com
Mon Sep 1 03:33:21 EDT 2014 


----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 29 August, 2014 4:09:41 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
> 
> Not really I think, the thing is I wanted to use the *login_hint* feature,
> but I don't think it will be possible based on what you said now, is that
> correct?

Yes, that's correct :/

The only adapter that will work atm with login_hint is the JS adapter. For as7/wildfly adapters you could work around it by creating and setting your own state cookie and generating the login_url (if you need some hints on how to do that let me know). If you create a jira to request adding support for login_hint to the as7/wildfly adapters then we can look at adding support for it after 1.0.final is released.

> 
> PS: added back the mailing list because I excluded it from the previous
> e-mail by mistake
> 
> 
> On Fri, Aug 29, 2014 at 9:12 AM, Stian Thorgersen <stian at redhat.com> wrote:
> 
> > You can't create the login url yourself at the moment, this is because the
> > adapter sets a cookie to store the state variable so it can check it in the
> > callback.
> >
> > You can call HttpServletRequest.authenticate, which will redirect to the
> > login after setting the state cookie. Does that work for you?
> >
> > ----- Original Message -----
> > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > To: "Stian Thorgersen" <stian at redhat.com>
> > > Sent: Friday, 29 August, 2014 1:07:22 PM
> > > Subject: Re: [keycloak-user] Authenticate user without using login page
> > >
> > > I'm using the JBoss AS7 adapter
> > > On Aug 29, 2014 3:46 AM, "Stian Thorgersen" <stian at redhat.com> wrote:
> > >
> > > > Which adapter are you using?
> > > >
> > > > ----- Original Message -----
> > > > > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > To: "Stian Thorgersen" <stian at redhat.com>
> > > > > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > > > > Sent: Thursday, 28 August, 2014 3:51:17 PM
> > > > > Subject: Re: [keycloak-user] Authenticate user without using login
> > page
> > > > >
> > > > > Coming back to this, I have a quick question. What would be the best
> > way
> > > > > for me to create a valid login URL dynamically?
> > > > >
> > > > > when we try to access a protected resource, the login page comes up,
> > > > > authenticates the user and it all works fine, but when I try to
> > > > fabricate a
> > > > > loginUrl to the redirect_uri that I need it to go after we encounter
> > some
> > > > > problems that I think may be related to the state variable, although
> > I'm
> > > > > not sure. I get Error 400 sometimes, which isn't very clear.
> > > > >
> > > > > Is there a guideline for this?
> > > > >
> > > > >
> > > > > On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <stian at redhat.com
> > >
> > > > wrote:
> > > > >
> > > > > > Yes, login_hint is one of the optional request parameters
> > supported by
> > > > > > OpenID Connect
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Bill Burke" <bburke at redhat.com>
> > > > > > > To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
> > > > > > rodrigopsasaki at gmail.com>
> > > > > > > Cc: keycloak-user at lists.jboss.org
> > > > > > > Sent: Wednesday, 30 July, 2014 2:38:32 PM
> > > > > > > Subject: Re: [keycloak-user] Authenticate user without using
> > login
> > > > page
> > > > > > >
> > > > > > > OpenID Connect protocol is used to implement this?
> > > > > > >
> > > > > > > On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> > > > > > > > Added login_hint query param. It can be used with keycloak.js
> > with
> > > > > > either:
> > > > > > > >
> > > > > > > >    keycloak.login({ loginHint: 'username' })
> > > > > > > >
> > > > > > > > or
> > > > > > > >
> > > > > > > >    keycloak.createLoginUrl({ loginHint: 'username' })
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > keycloak-user at lists.jboss.org
> > > > > > > >> Sent: Friday, 25 July, 2014 6:11:47 PM
> > > > > > > >> Subject: Re: [keycloak-user] Authenticate user without using
> > login
> > > > > > page
> > > > > > > >>
> > > > > > > >> It all worked great with the iframe, if I style it properly
> > and
> > > > use
> > > > > > that
> > > > > > > >> login_hint it should be perfect.
> > > > > > > >>
> > > > > > > >> Now how should I go about developing/using this login_hint?
> > Are
> > > > there
> > > > > > any
> > > > > > > >> tips on this, or is it something that you plan on including
> > > > > > yourselves?
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <
> > > > > > rodrigopsasaki at gmail.com>
> > > > > > > >> wrote:
> > > > > > > >>
> > > > > > > >>> Just one more thing that wasn't completely clear to me.
> > > > > > > >>>
> > > > > > > >>> if I add a login page on an iframe, the user will be logged
> > > > > > normally? Or
> > > > > > > >>> would I have to get a token and keep managing it?
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
> > > > > > > >>> <rodrigopsasaki at gmail.com
> > > > > > > >>>> wrote:
> > > > > > > >>>
> > > > > > > >>>> That idea actually sounds amazing, I didn't look into
> > > > keycloak.js
> > > > > > yet,
> > > > > > > >>>> but I'll see if I can get it working before I think about
> > > > styling.
> > > > > > > >>>>
> > > > > > > >>>> Thank you very much!
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <
> > > > > > stian at redhat.com>
> > > > > > > >>>> wrote:
> > > > > > > >>>>
> > > > > > > >>>>> I think we could quite easily add support for embedding the
> > > > login
> > > > > > page
> > > > > > > >>>>> to keycloak.js. Rough idea:
> > > > > > > >>>>>
> > > > > > > >>>>> 1. Set an option on keycloak.js to use embedded login form.
> > > > Would
> > > > > > also
> > > > > > > >>>>> require setting an id for a div where the form should be
> > > > embedded.
> > > > > > > >>>>> 2. When clicking on login instead of redirecting it would
> > > > render an
> > > > > > > >>>>> iframe element inside the configured div with the src of
> > the
> > > > iframe
> > > > > > > >>>>> being
> > > > > > > >>>>> the login page on Keycloak
> > > > > > > >>>>> 3. The redirect-uri would be a special url on Keycloak that
> > > > > > renders a
> > > > > > > >>>>> similar page to the iframe session page that allows
> > posting a
> > > > > > message
> > > > > > > >>>>> back
> > > > > > > >>>>> to keycloak.js containing the code
> > > > > > > >>>>> 4. Now keycloak.js can swap the code as usual
> > > > > > > >>>>>
> > > > > > > >>>>> One thing is that we'd probably need an additional styling
> > of
> > > > the
> > > > > > login
> > > > > > > >>>>> form, as you would want the login page to display
> > differently
> > > > when
> > > > > > > >>>>> embedded
> > > > > > > >>>>> compared to when you redirect to it.
> > > > > > > >>>>>
> > > > > > > >>>>> ----- Original Message -----
> > > > > > > >>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
> > > > > > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > using
> > > > login
> > > > > > > >>>>>> page
> > > > > > > >>>>>>
> > > > > > > >>>>>> The cookies should be set fine, as the iframe would
> > contain
> > > > the
> > > > > > login
> > > > > > > >>>>> page
> > > > > > > >>>>>> directly from Keycloak.
> > > > > > > >>>>>>
> > > > > > > >>>>>> It would redirect to a special page on the app that after
> > > > > > extracting
> > > > > > > >>>>> the code
> > > > > > > >>>>>> would close the popup.
> > > > > > > >>>>>>
> > > > > > > >>>>>> ----- Original Message -----
> > > > > > > >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo
> > Sasaki"
> > > > > > > >>>>>>> <rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
> > > > > > > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > using
> > > > > > login
> > > > > > > >>>>> page
> > > > > > > >>>>>>>
> > > > > > > >>>>>>> not sure this will work with SSO.  I'm not sure CORS
> > > > requests can
> > > > > > > >>>>> deal
> > > > > > > >>>>>>> with cookies.
> > > > > > > >>>>>>>
> > > > > > > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > > > > > > >>>>>>>> What about using an iframe in the popup to include the
> > login
> > > > > > form
> > > > > > > >>>>> from
> > > > > > > >>>>>>>> Keycloak?
> > > > > > > >>>>>>>>
> > > > > > > >>>>>>>> You can send a HTTP POST to
> > > > > > > >>>>> /auth-server/<realm>/tokens/grants/access
> > > > > > > >>>>>>>> with
> > > > > > > >>>>>>>> client id/secret and username/password and get a token
> > back.
> > > > > > With
> > > > > > > >>>>>>>> keycloak.js you can give it this token, not sure how/if
> > this
> > > > > > flow
> > > > > > > >>>>> works
> > > > > > > >>>>>>>> with the server-side (Undertow) adapter.
> > > > > > > >>>>>>>>
> > > > > > > >>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
> > > > > > > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > > > using
> > > > > > > >>>>> login page
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> Actually, the main problem is one of the flows where
> > the
> > > > > > password
> > > > > > > >>>>>>>>> request
> > > > > > > >>>>>>>>> appears in a popup, there's no redirect at all, and
> > one of
> > > > the
> > > > > > > >>>>> things
> > > > > > > >>>>>>>>> that
> > > > > > > >>>>>>>>> were agreed upon when decided to change the
> > authentication
> > > > > > > >>>>> provider, was
> > > > > > > >>>>>>>>> that nothing would be altered in the user experience.
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> So I really have to try and make keycloak "fit in" in
> > these
> > > > > > > >>>>> particular
> > > > > > > >>>>>>>>> scenarios, they are not used as much as the ones where
> > > > we'll
> > > > > > use
> > > > > > > >>>>> the
> > > > > > > >>>>>>>>> keycloak login page with our own style, but I do have
> > to
> > > > make
> > > > > > > >>>>> them work.
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> When you say I could use direct grant to get a token,
> > would
> > > > > > that
> > > > > > > >>>>> count
> > > > > > > >>>>>>>>> as
> > > > > > > >>>>>>>>> the same as an user logging in? It's not really clear
> > to me
> > > > > > right
> > > > > > > >>>>> now
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> > > > > > > >>>>> stian at redhat.com>
> > > > > > > >>>>>>>>> wrote:
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>> Yes, but I'm wondering why the following won't work:
> > > > > > > >>>>>>>>>>
> > > > > > > >>>>>>>>>> 1. Ask for users email (in your app, not KC)
> > > > > > > >>>>>>>>>> 2. Once you get to the flow where a user has to login:
> > > > > > > >>>>>>>>>>      a) If user doesn't exist in KC (you can use admin
> > > > > > endpoints
> > > > > > > >>>>> to
> > > > > > > >>>>>>>>>>      check
> > > > > > > >>>>>>>>>> this) redirect to registration page on KC with email
> > > > already
> > > > > > > >>>>> entered
> > > > > > > >>>>>>>>>>      b) If user does exist in KC redirect to login
> > page
> > > > again
> > > > > > > >>>>> with email
> > > > > > > >>>>>>>>>> already entered
> > > > > > > >>>>>>>>>> 3. Redirect back to app
> > > > > > > >>>>>>>>>>
> > > > > > > >>>>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo
> > > > Sasaki"
> > > > > > <
> > > > > > > >>>>>>>>>> rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > > > > > > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > without
> > > > using
> > > > > > > >>>>> login
> > > > > > > >>>>>>>>>>> page
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>> It is because their first login screen is just
> > something
> > > > > > asking
> > > > > > > >>>>> for an
> > > > > > > >>>>>>>>>>> email.  If the email doesn't exist as a user, they
> > want a
> > > > > > > >>>>> redirect to
> > > > > > > >>>>>>>>>>> the register page.
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > > > > > > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a
> > token.
> > > > > > > >>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>> I'd like to know why redirecting to the login form,
> > when
> > > > > > > >>>>> styled to
> > > > > > > >>>>>>>>>> match
> > > > > > > >>>>>>>>>>>> your website, and using login_hint to pre-fill
> > > > > > username/email
> > > > > > > >>>>> doesn't
> > > > > > > >>>>>>>>>>>> work. Maybe there's something we can do so that you
> > can
> > > > > > still
> > > > > > > >>>>> use the
> > > > > > > >>>>>>>>>>>> "proper" flow?
> > > > > > > >>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > > > > > > >>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > > > > > > >>>>>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > > > > > > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > without
> > > > > > using
> > > > > > > >>>>> login
> > > > > > > >>>>>>>>>> page
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's
> > being a
> > > > > > huge
> > > > > > > >>>>>>>>>> showstopper
> > > > > > > >>>>>>>>>>>>> so
> > > > > > > >>>>>>>>>>>>> far, I just have to ask.
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other
> > > > benefits
> > > > > > > >>>>> that the
> > > > > > > >>>>>>>>>>>>> Keycloak login page provides me, would there be a
> > way
> > > > for
> > > > > > me
> > > > > > > >>>>> to do
> > > > > > > >>>>>>>>>> what I
> > > > > > > >>>>>>>>>>>>> want?
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> > > > > > > >>>>> stian at redhat.com>
> > > > > > > >>>>>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> We could add support for login_hint query param so
> > > > you can
> > > > > > > >>>>> have the
> > > > > > > >>>>>>>>>>>>>> username/email field on the login form pre-filled
> > for
> > > > the
> > > > > > > >>>>> user, so
> > > > > > > >>>>>>>>>> once a
> > > > > > > >>>>>>>>>>>>>> user has to authenticate you redirect to login on
> > KC
> > > > and
> > > > > > all
> > > > > > > >>>>> they
> > > > > > > >>>>>>>>>> would
> > > > > > > >>>>>>>>>>>>>> have to do is enter their password.
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO,
> > > > > > multi-factor
> > > > > > > >>>>>>>>>>>>>> support,
> > > > > > > >>>>>>>>>>>>>> required actions, recover password, etc, etc,
> > etc..
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login
> > forms
> > > > > > that
> > > > > > > >>>>> can be
> > > > > > > >>>>>>>>>>>>>> templated using either just css or even FreeMarker
> > > > > > templates
> > > > > > > >>>>> if you
> > > > > > > >>>>>>>>>> need
> > > > > > > >>>>>>>>>>>>>> a
> > > > > > > >>>>>>>>>>>>>> lot of customization, so you should be able to
> > make
> > > > the
> > > > > > > >>>>> login form
> > > > > > > >>>>>>>>>>>>>> integrate well with your website.
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>> ----- Original Message -----
> > > > > > > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com
> > >
> > > > > > > >>>>>>>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > > > > > > >>>>>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > > > > > > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > > > without
> > > > > > > >>>>> using login
> > > > > > > >>>>>>>>>> page
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> You think there could be a way to do this within
> > > > keycloak
> > > > > > > >>>>> itself?
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > > > > > > >>>>>>>>>>>>>> rodrigopsasaki at gmail.com >
> > > > > > > >>>>>>>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> I'll give you an example:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> We have a situation in our website where we only
> > ask
> > > > for
> > > > > > the
> > > > > > > >>>>>>>>>>>>>>> user's
> > > > > > > >>>>>>>>>>>>>> e-mail,
> > > > > > > >>>>>>>>>>>>>>> and he can go on with the flow.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify
> > that
> > > > > > this
> > > > > > > >>>>> is an
> > > > > > > >>>>>>>>>> e-mail
> > > > > > > >>>>>>>>>>>>>> that
> > > > > > > >>>>>>>>>>>>>>> we already have in our user database, we ask him
> > for
> > > > his
> > > > > > > >>>>> password,
> > > > > > > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this
> > e-mail
> > > > is
> > > > > > new,
> > > > > > > >>>>> we
> > > > > > > >>>>>>>>>> redirect
> > > > > > > >>>>>>>>>>>>>> him
> > > > > > > >>>>>>>>>>>>>>> to a page where he can register himself, and
> > after
> > > > that
> > > > > > > >>>>> continue
> > > > > > > >>>>>>>>>>>>>>> on.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't
> > like to
> > > > > > have
> > > > > > > >>>>> to
> > > > > > > >>>>>>>>>> redirect
> > > > > > > >>>>>>>>>>>>>> him to
> > > > > > > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow
> > that
> > > > we
> > > > > > > >>>>> designed.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> > > > > > > >>>>> bburke at redhat.com >
> > > > > > > >>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > > > > > > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> If you have to do it this way, please let us know
> > > > why.
> > > > > > > >>>>> Maybe we
> > > > > > > >>>>>>>>>>>>>>> can
> > > > > > > >>>>>>>>>>>>>> solve the
> > > > > > > >>>>>>>>>>>>>>> issue within keycloak itself.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want
> > to
> > > > > > handle
> > > > > > > >>>>> my own
> > > > > > > >>>>>>>>>> login
> > > > > > > >>>>>>>>>>>>>>> page, would there be a way for me to do it?
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>> < rodrigopsasaki at gmail.com <mailto:
> > > > > > rodrigopsasaki at gmail.
> > > > > > > >>>>> com >>
> > > > > > > >>>>>>>>>> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which
> > is why
> > > > > > we're
> > > > > > > >>>>> mostly
> > > > > > > >>>>>>>>>>>>>>> migrating everything to use keycloak that way.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> It's just that we have cases that are so
> > specific,
> > > > that
> > > > > > it
> > > > > > > >>>>> would
> > > > > > > >>>>>>>>>>>>>>> be
> > > > > > > >>>>>>>>>>>>>>> better to authenticate the user in a different
> > > > manner,
> > > > > > > >>>>> create the
> > > > > > > >>>>>>>>>>>>>>> user session and everything, without redirecting.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> > > > > > > >>>>> bburke at redhat.com
> > > > > > > >>>>>>>>>>>>>>> <mailto: bburke at redhat.com >> wrote:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO,
> > you
> > > > are
> > > > > > > >>>>> missing
> > > > > > > >>>>>>>>>>>>>>> out on
> > > > > > > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> * SSO
> > > > > > > >>>>>>>>>>>>>>> * forgot password
> > > > > > > >>>>>>>>>>>>>>> * admin forced credential reset/setup
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> Login pages can be styled however you like to
> > look
> > > > like
> > > > > > your
> > > > > > > >>>>>>>>>>>>>>> application.
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> There is a REST api for obtaining an access
> > token.
> > > > Here
> > > > > > is
> > > > > > > >>>>> an
> > > > > > > >>>>>>>>>>>>>>> example:
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> https://github.com/keycloak/
> > > > > > keycloak/blob/master/examples/
> > > > > > > >>>>>>>>>>>>>>> demo-template/admin-access-
> > app/src/main/java/org/
> > > > > > > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > > > > > > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without
> > > > having
> > > > > > to
> > > > > > > >>>>>>>>>>>>>>> input username
> > > > > > > >>>>>>>>>>>>>>>> and password on the login page?
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> For example:
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> Say there's a situation in my application where
> > I
> > > > > > request
> > > > > > > >>>>> the
> > > > > > > >>>>>>>>>>>>>>> user for
> > > > > > > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like
> > to
> > > > > > redirect
> > > > > > > >>>>>>>>>>>>>>> that to the
> > > > > > > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would
> > > > there be
> > > > > > a
> > > > > > > >>>>> way
> > > > > > > >>>>>>>>>>>>>>> for me to
> > > > > > > >>>>>>>>>>>>>>>> do that?
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > > >>>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > > >>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>> https://lists.jboss.org/
> > > > mailman/listinfo/keycloak-user
> > > > > > > >>>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org <mailto:
> > > > > > keycloak-user at lists.
> > > > > > > >>>>>>>>>> jboss.org >
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> https://lists.jboss.org/
> > > > mailman/listinfo/keycloak-user
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>>> _______________________________________________
> > > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > > >>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>>>>>>>>>>>
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >>>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>>> --
> > > > > > > >>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>>>>>
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>> --
> > > > > > > >>>>>>>>>>> Bill Burke
> > > > > > > >>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>>>>>
> > > > > > > >>>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>>> --
> > > > > > > >>>>>>>>> Rodrigo Sasaki
> > > > > > > >>>>>>>>>
> > > > > > > >>>>>>>
> > > > > > > >>>>>>> --
> > > > > > > >>>>>>> Bill Burke
> > > > > > > >>>>>>> JBoss, a division of Red Hat
> > > > > > > >>>>>>> http://bill.burkecentral.com
> > > > > > > >>>>>>>
> > > > > > > >>>>>> _______________________________________________
> > > > > > > >>>>>> keycloak-user mailing list
> > > > > > > >>>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >>>>>>
> > > > > > > >>>>> _______________________________________________
> > > > > > > >>>>> keycloak-user mailing list
> > > > > > > >>>>> keycloak-user at lists.jboss.org
> > > > > > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > > >>>>>
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>>
> > > > > > > >>>> --
> > > > > > > >>>> Rodrigo Sasaki
> > > > > > > >>>>
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>>
> > > > > > > >>> --
> > > > > > > >>> Rodrigo Sasaki
> > > > > > > >>>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> --
> > > > > > > >> Rodrigo Sasaki
> > > > > > > >>
> > > > > > >
> > > > > > > --
> > > > > > > Bill Burke
> > > > > > > JBoss, a division of Red Hat
> > > > > > > http://bill.burkecentral.com
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Rodrigo Sasaki
> > > > >
> > > >
> > >
> >
> 
> 
> 
> --
> Rodrigo Sasaki
>

More information about the keycloak-user mailing list