[keycloak-user] Login without Keycloak Login Page

Wed Dec 21 04:24:50 EST 2016

stianst wrote
> That's an extremely bad hack! The authorization code flow is a redirect
> based flow and should not be used in this way.
> 
> Please use the real login page as recommended. Alternatively use resource
> owner password grant (direct grant in Keycloak). With direct grants you
> can
> only invalidate the refresh token, not the session or access token so you
> should have a short lifespan on your access tokens.
> 
> On 21 December 2016 at 09:21, ruiwp13 &lt;

> ruiwp_93@

> &gt; wrote:
> 
>> Bill Burke wrote
>> > On 12/20/16 12:00 PM, ruiwp13 wrote:
>> >> Bill Burke wrote
>> >>> On 12/19/16 11:32 AM, ruiwp13 wrote:
>> >>>> Bill Burke wrote
>> >>>>> I looked at the image, specifically the @Path("/login") JAX-RS
>> method.
>> >>>>> What you are attempting will just not work.  Period.  I don't think
>> >>>>> you
>> >>>>> understand how basic servlet, JAX-RS, and HTTP works along with how
>> >>>>> Open
>> >>>>> ID Connection works.  OpenID Connect (and SAML) require browser
>> >>>>> redirects.  In looking at your code, you're expecting
>> authenticate()
>> >>>>> to
>> >>>>> redirect the browser to keycloak, have the user login, then
>> redirect
>> >>>>> back.  This just doesn't do what you expect.  And it shouldn't.
>> >>>>> Calling servletRequest.authenticate() sets a 302 response with a
>> >>>>> Location header pointing back to the server.   That's it...  You
>> >>>>> actually override what authenticate() did by returning a JAX-RS
>> >>>>> response.
>> >>>>> _______________________________________________
>> >>>>> keycloak-user mailing list
>> >>>>> keycloak-user at .jboss
>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>> Thank you for the answer Bill,
>> >>>>
>> >>>> It does redirect me to keycloak login page and then back to my login
>> >>>> page.
>> >>>> The redirect back is managed by keycloak. It redirects back to the
>> >>>> application after login. It may have something wrong when I do the
>> >>>> authenticate(), but it does redirect me to Keycloak login page. If I
>> >>>> knew
>> >>>> how everything worked I wasn't here asking for help eheh. I came
>> here
>> >>>> to
>> >>>> know what I was doing wrong or if it was a keycloak problem.
>> >>>>
>> >>>> What is the correct way to do it then?
>> >>> I'm not sure what you mean by "Login without Keycloak Login Page". Is
>> >>> this a browser application?  If so, I strongly suggest you use our
>> >>> adapter and Keycloak Login pages.  Login pages can be stylized
>> however
>> >>> you want.  You are not using our adapter as it was intended to be
>> used
>> >>> so we just can't help you.  You're on your own.
>> >>>
>> >>> You can do a login without keycloak login pages, but this flow is for
>> >>> REST clients only, not browser applications.  Use direct grant [1] to
>> >>> obtain a token.  Here's a crude example [2]  Sorry there isn't better
>> >>> docs on this.
>> >>>
>> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3
>> >>> [2]
>> >>> https://github.com/keycloak/keycloak/blob/master/examples/
>> demo-template/admin-access-app/src/main/java/org/
>> keycloak/example/AdminClient.java
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-user mailing list
>> >>> keycloak-user at .jboss
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> Is there no possibility of invalidating the token or at least, set
>> it's
>> >> expiration to "now" when the user logs out?
>> >> Now, when I logout I get the backchannel logout request from keycloak
>> but
>> >> the token is still valid. I am able to access the secured pages even
>> >> though
>> >> the session in keycloak has ended.
>> > Are you still doing your *hack* approach?
>> > HttpServletRequest.getSession().invalidate() might work.  Like I said
>> > before, if you insist on doing things your own way and in a way that
>> was
>> > not intended for the adapter to work, there's not much we can help you
>> > with.
>> >
>> > Bill
>> > _______________________________________________
>> > keycloak-user mailing list
>>
>> > keycloak-user at .jboss
>>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> Hello Bill,
>>
>> Well, not sure if it is an hack approach. I want to login through REST
>> without having to be redirected to keycloak login page because there is a
>> part where there will be no broswer interaction.
>> At the moment, I am logging in with authorization code flow through HTTP
>> GETs and POSTs and scrapping the login form to get the code & state. I
>> also
>> send the client_session_state containing the
>> HttpServletRequest.getSession().getId()
>> To logout I am making a POST call to the logout endpoint sending the
>> refresh_token and the client_id and client_secret.
>>
>> Is this the right way to do it?
>> Otherwise how am I supposed to logout without a browser, in a servlet?
>>
>>
>>
>> --
>> View this message in context: http://keycloak-user.88327.x6.
>> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html
>> Sent from the keycloak-user mailing list archive at Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>> 

> keycloak-user at .jboss

>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list

> keycloak-user at .jboss

> https://lists.jboss.org/mailman/listinfo/keycloak-user

OK, thank you. 

Well stianst, it is a bad hack but I am getting the callback from keycloak
to my server. I receive the {Admin URL}/k_logout call. Why doesn't it
invalidate the token as well? When I tried the browser redirect login it did
logged me out of the app and I had to login again in browser to access
secured pages but I still could use the token anyway. The token was not
invalidated.

--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html
Sent from the keycloak-user mailing list archive at Nabble.com.