[keycloak-user] Validate User Credentials Without Creating a Session

Pedro Igor Silva psilva at redhat.com
Fri Feb 2 08:23:09 EST 2018


We have a similar behavior when doing client credentials where sessions are
created on every single invocation to the token endpoint.

For grant types other than authoriation code, can we review this behavior ?
I think I sent an e-mail about this some time ago ...


On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda <mposolda at redhat.com> wrote:

> The easiest is to login through directGrant and then logout session with
> the refreshToken. We have an example, which is doing that and shows
> logout as well - It's admin-access-app from the preconfigured-demo
> examples.
>
> The place where the credentials are checked is
> Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing
> further how to get there and what code calls this. If it's too much
> trouble, I suggest to stick with directGrant + logout approach.
>
> Marek
>
> On 01/02/18 17:25, Scott Finlay wrote:
> >
> > Hi Marek,
> >
> >
> > Thanks for the suggestion. Could you maybe point me in the right
> > direction there?
> >
> > I'm having some difficulties finding the actual place where
> > credentials are checked
> >
> > in the Keycloak code and where the session is being created.
> >
> >
> > Additionally I've looked the documentation
> > (http://www.keycloak.org/docs/3.1/server_development/topics/
> extensions.html)
> >
> > but I'm having trouble understanding from that what these pieces
> > described are actually for,
> > where the entry point is, and how I can connect it to the actual
> > Keycloak storage. I also don't
> > really know how to actually integrate the endpoint into Keycloak once
> > I have one built
> >
> > Regards,
> > Scott
> >
> >
> > ------------------------------------------------------------------------
> > *From:* Marek Posolda <mposolda at redhat.com>
> > *Sent:* Wednesday, January 24, 2018 1:59:05 PM
> > *To:* Scott Finlay; keycloak-user at lists.jboss.org
> > *Subject:* Re: [keycloak-user] Validate User Credentials Without
> > Creating a Session
> > Hi Scott,
> >
> > it's not available OOTB, but you can add your own REST endpoint to
> > verify username/password. Or alternatively you can just do directGrant
> > login (OAuth2 Resource Owner Password Credentials Grant) and then logout
> > session.
> >
> > Marek
> >
> > On 23/01/18 09:49, Scott Finlay wrote:
> > > Hi,
> > >
> > >
> > > We're currently using Keycloak 2.5.5.Final, and in this version it's
> > not possible
> > >
> > > to validate a user's credentials (username / password combination)
> > without
> > >
> > > actually logging the user in which results in a session (and our
> > sessions are long-
> > >
> > > lived). Is there any new functionality introduced in the later
> > versions of  Keycloak
> > >
> > > to validate the credentials without actually logging the user in?
> > >
> > >
> > > Our use-case is that we have very long-lived tokens, but we want to
> > require the
> > >
> > > user to re-enter his/her password in order to perform some certain
> > sensitive tasks
> > >
> > > such as changing the password or username.
> > >
> > >
> > > If such functionality  is not available, would it be possible to add
> > this?
> > >
> > >
> > > Regards,
> > >
> > > Scott
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list