[keycloak-user] Validate User Credentials Without Creating a Session

Josh Cain jcain at redhat.com
Fri Feb 2 09:18:28 EST 2018 

Would be +1 for reviewing an option to alter this behavior.

Doing work again on docker flows, and they're truly stateless clients
(you can send session cookies/info, but they'll just be discarded by the
client).  We get the session creation overhead for no reason.

I also think of SAML ECP profile (if anyone is even using that these
days).  Does that need to create a session?

Josh Cain
Senior Software Applications Engineer, RHCE
Red Hat North America
jcain at redhat.com IRC: jcain

On 02/02/2018 07:23 AM, Pedro Igor Silva wrote:
> We have a similar behavior when doing client credentials where sessions are
> created on every single invocation to the token endpoint.
> 
> For grant types other than authoriation code, can we review this behavior ?
> I think I sent an e-mail about this some time ago ...
> 
> 
> On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda <mposolda at redhat.com> wrote:
> 
>> The easiest is to login through directGrant and then logout session with
>> the refreshToken. We have an example, which is doing that and shows
>> logout as well - It's admin-access-app from the preconfigured-demo
>> examples.
>>
>> The place where the credentials are checked is
>> Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing
>> further how to get there and what code calls this. If it's too much
>> trouble, I suggest to stick with directGrant + logout approach.
>>
>> Marek
>>
>> On 01/02/18 17:25, Scott Finlay wrote:
>>>
>>> Hi Marek,
>>>
>>>
>>> Thanks for the suggestion. Could you maybe point me in the right
>>> direction there?
>>>
>>> I'm having some difficulties finding the actual place where
>>> credentials are checked
>>>
>>> in the Keycloak code and where the session is being created.
>>>
>>>
>>> Additionally I've looked the documentation
>>> (http://www.keycloak.org/docs/3.1/server_development/topics/
>> extensions.html)
>>>
>>> but I'm having trouble understanding from that what these pieces
>>> described are actually for,
>>> where the entry point is, and how I can connect it to the actual
>>> Keycloak storage. I also don't
>>> really know how to actually integrate the endpoint into Keycloak once
>>> I have one built
>>>
>>> Regards,
>>> Scott
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Marek Posolda <mposolda at redhat.com>
>>> *Sent:* Wednesday, January 24, 2018 1:59:05 PM
>>> *To:* Scott Finlay; keycloak-user at lists.jboss.org
>>> *Subject:* Re: [keycloak-user] Validate User Credentials Without
>>> Creating a Session
>>> Hi Scott,
>>>
>>> it's not available OOTB, but you can add your own REST endpoint to
>>> verify username/password. Or alternatively you can just do directGrant
>>> login (OAuth2 Resource Owner Password Credentials Grant) and then logout
>>> session.
>>>
>>> Marek
>>>
>>> On 23/01/18 09:49, Scott Finlay wrote:
>>>> Hi,
>>>>
>>>>
>>>> We're currently using Keycloak 2.5.5.Final, and in this version it's
>>> not possible
>>>>
>>>> to validate a user's credentials (username / password combination)
>>> without
>>>>
>>>> actually logging the user in which results in a session (and our
>>> sessions are long-
>>>>
>>>> lived). Is there any new functionality introduced in the later
>>> versions of  Keycloak
>>>>
>>>> to validate the credentials without actually logging the user in?
>>>>
>>>>
>>>> Our use-case is that we have very long-lived tokens, but we want to
>>> require the
>>>>
>>>> user to re-enter his/her password in order to perform some certain
>>> sensitive tasks
>>>>
>>>> such as changing the password or username.
>>>>
>>>>
>>>> If such functionality  is not available, would it be possible to add
>>> this?
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Scott
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180202/311adb41/attachment.bin

More information about the keycloak-user mailing list