[keycloak-user] Temporary support for current sign-in flow

[Marek Posolda]

I think you can achieve this with OAuth2 Resource Owner Password 
Credentials Grant (In Keycloak, it is referred to as Direct Grant flow).

As you pointed, it will be good to have this just really as temporary 
solution for legacy purposes as this approach has quite a lot of 
limitations in compare to have the login form properly shown on Keycloak 
side (EG. missing social logins, Registration, "Forget password" 
functionality etc).

Marek

On 25/11/2018 23:47, Craig Setera wrote:
> As everyone is probably painfully aware from all of my questions, we are in
> the midst of replacing our proprietary login flow with a Keycloak
> OpenID-based flow.  The eventual goal is to use the standard Keycloak login
> pages to allow for extra factors of authentication such as Google
> Authenticator.
>
> One option that we've allowed until now is for customers to host custom
> login HTML forms (just username and password) on their sites.  This is
> something that we are (most likely) going to remove support for in the long
> run, but in the short term, I think we are going to need to support this if
> only to allow for a transition period.  The login flow is:
>
> Customer Site (HTML form) ->
> Login Handler (JEE Session) ->
> Redirect browser to SPA along with JSESSIONID
>
> All API calls use JEE sessions for "authentication".  What I'm hoping to do
> somehow in the short term is:
>
> Customer Site (HTML form) ->
> Login Handler ->
> Keycloak ->
> Redirect browser to SPA with OAuth codes/tokens
>
> What is the best/correct way to do something like this?  Should I be using
> the authorization code grant in this case?
>
> Thanks for any insights.
> Craig
>
> =================================
> *Craig Setera*
>
> *Chief Technology Officer*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user