[keycloak-user] RE: RV: How to force login (¿best practice?)

Tue Oct 30 05:09:01 EDT 2018

Hi Dimitry,

Thanks for answering! I'm trying to follow your steps, but on the last step, I can't seem to find the way to assign the new flow in the client, I can't find the "Authentication Flow Overrides" setting.

We actually would like to not "disable" the SSO, if we could solve the following use case: 

Step 1 -  User opens WEBAPP 1, logs in and starts using the webapp.
Step 2 - User opens WEBAPP 2 on a different tab and he sees the "login" button because WEBAPP 2 knows nothing about this visitor at this point.
Step 3 - User clicks on "login" button and it automatically gets logged without seen any login screen (in the background the browser went to keycloak, got the authentication OK and went back to the WEBAPP 2).

How can we achieve that the user at the second step already gets logged in without having to actively click on login? This WEBAPP 2 is usable without login, so it shouldn't redirect all users to the login screen.

Thanks a lot for your help!

-----Mensaje original-----
De: Dmitry Telegin <dt at acutus.pro> 
Enviado el: martes, 30 de octubre de 2018 5:33
Para: Pablo Bravo <Pablo.Bravo at osudio.com>; keycloak-user at lists.jboss.org
Asunto: Re: [keycloak-user] RV: How to force login (¿best practice?)

Hello Pablo,

It's a bit unusual to hear people asking for how to *disable* SSO :) but here you go:
1. in admin console, go to Authentication; 2. make a copy of Browser flow; 3. in this new flow, disable or delete Cookie; 4. go to Clients -> (your client) -> Authentication Flow Overrides, change Browser Flow to your new flow, click Save.

After that, the client will always prompt for authentication, despite the previous login state.

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-10-29 at 15:06 +0000, Pablo Bravo wrote:
> Hi all,
> 
> We are currently implementing keycloak and we are facing an issue that we are not sure what's the best way to solve it.
> 
> We have different webapps making use of the sso and that's working fine. The problem we have is when we make log in using the sso in one webapp and then we do the same in a different webapp.
> 
> Initially this second webapp does not know which user is coming (and it's not necessary to be logged in to make use of it). When clicking on "login", it automatically logs in the user (by making a redirection to keycloak and automatically logging the already logged user in the other webapp). This second logging happens "transparently" to the user, since the redirection to keycloak is very fast and it's not noticeable. This behaviour is not very user friendly.
> 
> The question is: Taking into account that this second webapp can't know upfront which user is accessing the site (unless actively redirecting to keycloak), is it possible to force always the users to log in for a specific keycloak client? By this I mean actually ask the visitor for user/pw even if keycloak knows already them from other keycloak clients.
> 
> What's the best practice for this use case?
> 
> Thanks in advance!
> 
> Pablo
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user