[keycloak-user] Is it possible to authenticate against a Keycloak's Identity Provider (OpenAM) without using the Login screen?

Marek Posolda mposolda at redhat.com
Wed Aug 10 05:43:30 EDT 2016


- If you want to skip just Keycloak login page, then you can possibly 
set the "Authenticate by default" in the Keycloak admin console on the 
OpenAM identity provider screen. This means that Keycloak won't try to 
show the login screen, but immediatelly redirect to OpenAM login screen. 
However in case that you're not yet logged to OpenAM, you will still see 
the OpenAM login screen. So this is likely not sufficient for you?

-Option 2) Probably better for non-browser usecase, but more complex. 
Keycloak has support for "direct access grants" aka. OAuth2 "Resource 
Owner password credentials grant". See the OAuth2 specs for details.
So you can implement your own Authenticator, which will re-send the 
provided username+password to OpenAM and then if it success, the 
Authenticator itself will create user to KEycloak DB (if doesn't yet 
exists). You will need to create new Authentication flow and put your 
Authenticator here and configure as "Direct Grant" authenticator in 
Keycloak admin console. See Authentication SPI docs for more details.

This is possible just if OpenAM itself also has support for "Resource 
owner password credentials grant" or something like that, which will 
allow to send just REST request for validate username+password .

Maybe we should support this OOTB as it looks there are more people 
asking for it...

Marek

On 09/08/16 22:25, Abelardo Vacca wrote:
>
> I am wondering if it is possible to delegate to authentication to an 
> identity provider, as you would on the Login Page, but using the REST API.
> I've posted to stackoverflow a few minutes ago with details and 
> diagrams to try to explain the best I could: 
> http://stackoverflow.com/questions/38859379/is-it-possible-to-authenticate-against-a-keycloaks-identity-provider-openam-w 
>
>
> Please feel free to correct any misconceptions I might have, I am new 
> to all these tools I am posting about (APIMAN, Keycloak and OpenAM)
>
> Thanks,
> Abelardo
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160810/4b84e16f/attachment.html 


More information about the keycloak-user mailing list