<div dir="ltr">Not really I think, the thing is I wanted to use the <b>login_hint</b> feature, but I don't think it will be possible based on what you said now, is that correct?<div><br></div><div>PS: added back the mailing list because I excluded it from the previous e-mail by mistake</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 29, 2014 at 9:12 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You can't create the login url yourself at the moment, this is because the adapter sets a cookie to store the state variable so it can check it in the callback.<br>
<br>
You can call HttpServletRequest.authenticate, which will redirect to the login after setting the state cookie. Does that work for you?<br>
<div class="im HOEnZb"><br>
----- Original Message -----<br>
> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
</div><div class="HOEnZb"><div class="h5">> Sent: Friday, 29 August, 2014 1:07:22 PM<br>
> Subject: Re: [keycloak-user] Authenticate user without using login page<br>
><br>
> I'm using the JBoss AS7 adapter<br>
> On Aug 29, 2014 3:46 AM, "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>> wrote:<br>
><br>
> > Which adapter are you using?<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>, <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Thursday, 28 August, 2014 3:51:17 PM<br>
> > > Subject: Re: [keycloak-user] Authenticate user without using login page<br>
> > ><br>
> > > Coming back to this, I have a quick question. What would be the best way<br>
> > > for me to create a valid login URL dynamically?<br>
> > ><br>
> > > when we try to access a protected resource, the login page comes up,<br>
> > > authenticates the user and it all works fine, but when I try to<br>
> > fabricate a<br>
> > > loginUrl to the redirect_uri that I need it to go after we encounter some<br>
> > > problems that I think may be related to the state variable, although I'm<br>
> > > not sure. I get Error 400 sometimes, which isn't very clear.<br>
> > ><br>
> > > Is there a guideline for this?<br>
> > ><br>
> > ><br>
> > > On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > wrote:<br>
> > ><br>
> > > > Yes, login_hint is one of the optional request parameters supported by<br>
> > > > OpenID Connect<br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
> > > > > To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>>, "Rodrigo Sasaki" <<br>
> > > > <a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > Sent: Wednesday, 30 July, 2014 2:38:32 PM<br>
> > > > > Subject: Re: [keycloak-user] Authenticate user without using login<br>
> > page<br>
> > > > ><br>
> > > > > OpenID Connect protocol is used to implement this?<br>
> > > > ><br>
> > > > > On 7/30/2014 9:29 AM, Stian Thorgersen wrote:<br>
> > > > > > Added login_hint query param. It can be used with keycloak.js with<br>
> > > > either:<br>
> > > > > ><br>
> > > > > > keycloak.login({ loginHint: 'username' })<br>
> > > > > ><br>
> > > > > > or<br>
> > > > > ><br>
> > > > > > keycloak.createLoginUrl({ loginHint: 'username' })<br>
> > > > > ><br>
> > > > > > ----- Original Message -----<br>
> > > > > >> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > >> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > >> Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>,<br>
> > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >> Sent: Friday, 25 July, 2014 6:11:47 PM<br>
> > > > > >> Subject: Re: [keycloak-user] Authenticate user without using login<br>
> > > > page<br>
> > > > > >><br>
> > > > > >> It all worked great with the iframe, if I style it properly and<br>
> > use<br>
> > > > that<br>
> > > > > >> login_hint it should be perfect.<br>
> > > > > >><br>
> > > > > >> Now how should I go about developing/using this login_hint? Are<br>
> > there<br>
> > > > any<br>
> > > > > >> tips on this, or is it something that you plan on including<br>
> > > > yourselves?<br>
> > > > > >><br>
> > > > > >><br>
> > > > > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <<br>
> > > > <a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > >> wrote:<br>
> > > > > >><br>
> > > > > >>> Just one more thing that wasn't completely clear to me.<br>
> > > > > >>><br>
> > > > > >>> if I add a login page on an iframe, the user will be logged<br>
> > > > normally? Or<br>
> > > > > >>> would I have to get a token and keep managing it?<br>
> > > > > >>><br>
> > > > > >>><br>
> > > > > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki<br>
> > > > > >>> <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a><br>
> > > > > >>>> wrote:<br>
> > > > > >>><br>
> > > > > >>>> That idea actually sounds amazing, I didn't look into<br>
> > keycloak.js<br>
> > > > yet,<br>
> > > > > >>>> but I'll see if I can get it working before I think about<br>
> > styling.<br>
> > > > > >>>><br>
> > > > > >>>> Thank you very much!<br>
> > > > > >>>><br>
> > > > > >>>><br>
> > > > > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <<br>
> > > > <a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > >>>> wrote:<br>
> > > > > >>>><br>
> > > > > >>>>> I think we could quite easily add support for embedding the<br>
> > login<br>
> > > > page<br>
> > > > > >>>>> to keycloak.js. Rough idea:<br>
> > > > > >>>>><br>
> > > > > >>>>> 1. Set an option on keycloak.js to use embedded login form.<br>
> > Would<br>
> > > > also<br>
> > > > > >>>>> require setting an id for a div where the form should be<br>
> > embedded.<br>
> > > > > >>>>> 2. When clicking on login instead of redirecting it would<br>
> > render an<br>
> > > > > >>>>> iframe element inside the configured div with the src of the<br>
> > iframe<br>
> > > > > >>>>> being<br>
> > > > > >>>>> the login page on Keycloak<br>
> > > > > >>>>> 3. The redirect-uri would be a special url on Keycloak that<br>
> > > > renders a<br>
> > > > > >>>>> similar page to the iframe session page that allows posting a<br>
> > > > message<br>
> > > > > >>>>> back<br>
> > > > > >>>>> to keycloak.js containing the code<br>
> > > > > >>>>> 4. Now keycloak.js can swap the code as usual<br>
> > > > > >>>>><br>
> > > > > >>>>> One thing is that we'd probably need an additional styling of<br>
> > the<br>
> > > > login<br>
> > > > > >>>>> form, as you would want the login page to display differently<br>
> > when<br>
> > > > > >>>>> embedded<br>
> > > > > >>>>> compared to when you redirect to it.<br>
> > > > > >>>>><br>
> > > > > >>>>> ----- Original Message -----<br>
> > > > > >>>>>> From: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > >>>>>> To: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
> > > > > >>>>>> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM<br>
> > > > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without using<br>
> > login<br>
> > > > > >>>>>> page<br>
> > > > > >>>>>><br>
> > > > > >>>>>> The cookies should be set fine, as the iframe would contain<br>
> > the<br>
> > > > login<br>
> > > > > >>>>> page<br>
> > > > > >>>>>> directly from Keycloak.<br>
> > > > > >>>>>><br>
> > > > > >>>>>> It would redirect to a special page on the app that after<br>
> > > > extracting<br>
> > > > > >>>>> the code<br>
> > > > > >>>>>> would close the popup.<br>
> > > > > >>>>>><br>
> > > > > >>>>>> ----- Original Message -----<br>
> > > > > >>>>>>> From: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
> > > > > >>>>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>>, "Rodrigo Sasaki"<br>
> > > > > >>>>>>> <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > >>>>>>> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM<br>
> > > > > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without using<br>
> > > > login<br>
> > > > > >>>>> page<br>
> > > > > >>>>>>><br>
> > > > > >>>>>>> not sure this will work with SSO. I'm not sure CORS<br>
> > requests can<br>
> > > > > >>>>> deal<br>
> > > > > >>>>>>> with cookies.<br>
> > > > > >>>>>>><br>
> > > > > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:<br>
> > > > > >>>>>>>> What about using an iframe in the popup to include the login<br>
> > > > form<br>
> > > > > >>>>> from<br>
> > > > > >>>>>>>> Keycloak?<br>
> > > > > >>>>>>>><br>
> > > > > >>>>>>>> You can send a HTTP POST to<br>
> > > > > >>>>> /auth-server/<realm>/tokens/grants/access<br>
> > > > > >>>>>>>> with<br>
> > > > > >>>>>>>> client id/secret and username/password and get a token back.<br>
> > > > With<br>
> > > > > >>>>>>>> keycloak.js you can give it this token, not sure how/if this<br>
> > > > flow<br>
> > > > > >>>>> works<br>
> > > > > >>>>>>>> with the server-side (Undertow) adapter.<br>
> > > > > >>>>>>>><br>
> > > > > >>>>>>>> ----- Original Message -----<br>
> > > > > >>>>>>>>> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > >>>>>>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > >>>>>>>>> Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>,<br>
> > > > > >>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM<br>
> > > > > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without<br>
> > using<br>
> > > > > >>>>> login page<br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>> Actually, the main problem is one of the flows where the<br>
> > > > password<br>
> > > > > >>>>>>>>> request<br>
> > > > > >>>>>>>>> appears in a popup, there's no redirect at all, and one of<br>
> > the<br>
> > > > > >>>>> things<br>
> > > > > >>>>>>>>> that<br>
> > > > > >>>>>>>>> were agreed upon when decided to change the authentication<br>
> > > > > >>>>> provider, was<br>
> > > > > >>>>>>>>> that nothing would be altered in the user experience.<br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>> So I really have to try and make keycloak "fit in" in these<br>
> > > > > >>>>> particular<br>
> > > > > >>>>>>>>> scenarios, they are not used as much as the ones where<br>
> > we'll<br>
> > > > use<br>
> > > > > >>>>> the<br>
> > > > > >>>>>>>>> keycloak login page with our own style, but I do have to<br>
> > make<br>
> > > > > >>>>> them work.<br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>> When you say I could use direct grant to get a token, would<br>
> > > > that<br>
> > > > > >>>>> count<br>
> > > > > >>>>>>>>> as<br>
> > > > > >>>>>>>>> the same as an user logging in? It's not really clear to me<br>
> > > > right<br>
> > > > > >>>>> now<br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <<br>
> > > > > >>>>> <a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > >>>>>>>>> wrote:<br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>>> Yes, but I'm wondering why the following won't work:<br>
> > > > > >>>>>>>>>><br>
> > > > > >>>>>>>>>> 1. Ask for users email (in your app, not KC)<br>
> > > > > >>>>>>>>>> 2. Once you get to the flow where a user has to login:<br>
> > > > > >>>>>>>>>> a) If user doesn't exist in KC (you can use admin<br>
> > > > endpoints<br>
> > > > > >>>>> to<br>
> > > > > >>>>>>>>>> check<br>
> > > > > >>>>>>>>>> this) redirect to registration page on KC with email<br>
> > already<br>
> > > > > >>>>> entered<br>
> > > > > >>>>>>>>>> b) If user does exist in KC redirect to login page<br>
> > again<br>
> > > > > >>>>> with email<br>
> > > > > >>>>>>>>>> already entered<br>
> > > > > >>>>>>>>>> 3. Redirect back to app<br>
> > > > > >>>>>>>>>><br>
> > > > > >>>>>>>>>> ----- Original Message -----<br>
> > > > > >>>>>>>>>>> From: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
> > > > > >>>>>>>>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>>, "Rodrigo<br>
> > Sasaki"<br>
> > > > <<br>
> > > > > >>>>>>>>>> <a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > >>>>>>>>>>> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM<br>
> > > > > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without<br>
> > using<br>
> > > > > >>>>> login<br>
> > > > > >>>>>>>>>>> page<br>
> > > > > >>>>>>>>>>><br>
> > > > > >>>>>>>>>>> It is because their first login screen is just something<br>
> > > > asking<br>
> > > > > >>>>> for an<br>
> > > > > >>>>>>>>>>> email. If the email doesn't exist as a user, they want a<br>
> > > > > >>>>> redirect to<br>
> > > > > >>>>>>>>>>> the register page.<br>
> > > > > >>>>>>>>>>><br>
> > > > > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:<br>
> > > > > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a token.<br>
> > > > > >>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>> I'd like to know why redirecting to the login form, when<br>
> > > > > >>>>> styled to<br>
> > > > > >>>>>>>>>> match<br>
> > > > > >>>>>>>>>>>> your website, and using login_hint to pre-fill<br>
> > > > username/email<br>
> > > > > >>>>> doesn't<br>
> > > > > >>>>>>>>>>>> work. Maybe there's something we can do so that you can<br>
> > > > still<br>
> > > > > >>>>> use the<br>
> > > > > >>>>>>>>>>>> "proper" flow?<br>
> > > > > >>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>> ----- Original Message -----<br>
> > > > > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > >>>>>>>>>>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > >>>>>>>>>>>>> Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>>,<br>
> > > > > >>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM<br>
> > > > > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without<br>
> > > > using<br>
> > > > > >>>>> login<br>
> > > > > >>>>>>>>>> page<br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's being a<br>
> > > > huge<br>
> > > > > >>>>>>>>>> showstopper<br>
> > > > > >>>>>>>>>>>>> so<br>
> > > > > >>>>>>>>>>>>> far, I just have to ask.<br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other<br>
> > benefits<br>
> > > > > >>>>> that the<br>
> > > > > >>>>>>>>>>>>> Keycloak login page provides me, would there be a way<br>
> > for<br>
> > > > me<br>
> > > > > >>>>> to do<br>
> > > > > >>>>>>>>>> what I<br>
> > > > > >>>>>>>>>>>>> want?<br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <<br>
> > > > > >>>>> <a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> > > > > >>>>>>>>>>>>> wrote:<br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>> We could add support for login_hint query param so<br>
> > you can<br>
> > > > > >>>>> have the<br>
> > > > > >>>>>>>>>>>>>> username/email field on the login form pre-filled for<br>
> > the<br>
> > > > > >>>>> user, so<br>
> > > > > >>>>>>>>>> once a<br>
> > > > > >>>>>>>>>>>>>> user has to authenticate you redirect to login on KC<br>
> > and<br>
> > > > all<br>
> > > > > >>>>> they<br>
> > > > > >>>>>>>>>> would<br>
> > > > > >>>>>>>>>>>>>> have to do is enter their password.<br>
> > > > > >>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO,<br>
> > > > multi-factor<br>
> > > > > >>>>>>>>>>>>>> support,<br>
> > > > > >>>>>>>>>>>>>> required actions, recover password, etc, etc, etc..<br>
> > > > > >>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login forms<br>
> > > > that<br>
> > > > > >>>>> can be<br>
> > > > > >>>>>>>>>>>>>> templated using either just css or even FreeMarker<br>
> > > > templates<br>
> > > > > >>>>> if you<br>
> > > > > >>>>>>>>>> need<br>
> > > > > >>>>>>>>>>>>>> a<br>
> > > > > >>>>>>>>>>>>>> lot of customization, so you should be able to make<br>
> > the<br>
> > > > > >>>>> login form<br>
> > > > > >>>>>>>>>>>>>> integrate well with your website.<br>
> > > > > >>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>> ----- Original Message -----<br>
> > > > > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <<a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a>><br>
> > > > > >>>>>>>>>>>>>>> To: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
> > > > > >>>>>>>>>>>>>>> Cc: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM<br>
> > > > > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user<br>
> > without<br>
> > > > > >>>>> using login<br>
> > > > > >>>>>>>>>> page<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> You think there could be a way to do this within<br>
> > keycloak<br>
> > > > > >>>>> itself?<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <<br>
> > > > > >>>>>>>>>>>>>> <a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a> ><br>
> > > > > >>>>>>>>>>>>>>> wrote:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> I'll give you an example:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> We have a situation in our website where we only ask<br>
> > for<br>
> > > > the<br>
> > > > > >>>>>>>>>>>>>>> user's<br>
> > > > > >>>>>>>>>>>>>> e-mail,<br>
> > > > > >>>>>>>>>>>>>>> and he can go on with the flow.<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify that<br>
> > > > this<br>
> > > > > >>>>> is an<br>
> > > > > >>>>>>>>>> e-mail<br>
> > > > > >>>>>>>>>>>>>> that<br>
> > > > > >>>>>>>>>>>>>>> we already have in our user database, we ask him for<br>
> > his<br>
> > > > > >>>>> password,<br>
> > > > > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this e-mail<br>
> > is<br>
> > > > new,<br>
> > > > > >>>>> we<br>
> > > > > >>>>>>>>>> redirect<br>
> > > > > >>>>>>>>>>>>>> him<br>
> > > > > >>>>>>>>>>>>>>> to a page where he can register himself, and after<br>
> > that<br>
> > > > > >>>>> continue<br>
> > > > > >>>>>>>>>>>>>>> on.<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't like to<br>
> > > > have<br>
> > > > > >>>>> to<br>
> > > > > >>>>>>>>>> redirect<br>
> > > > > >>>>>>>>>>>>>> him to<br>
> > > > > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow that<br>
> > we<br>
> > > > > >>>>> designed.<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <<br>
> > > > > >>>>> <a href="mailto:bburke@redhat.com">bburke@redhat.com</a> ><br>
> > > > > >>>>>>>>>> wrote:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> <a href="http://docs.jboss.org/" target="_blank">http://docs.jboss.org/</a> keycloak/docs/1.0-beta-3/<br>
> > > > > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> If you have to do it this way, please let us know<br>
> > why.<br>
> > > > > >>>>> Maybe we<br>
> > > > > >>>>>>>>>>>>>>> can<br>
> > > > > >>>>>>>>>>>>>> solve the<br>
> > > > > >>>>>>>>>>>>>>> issue within keycloak itself.<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want to<br>
> > > > handle<br>
> > > > > >>>>> my own<br>
> > > > > >>>>>>>>>> login<br>
> > > > > >>>>>>>>>>>>>>> page, would there be a way for me to do it?<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki<br>
> > > > > >>>>>>>>>>>>>>> < <a href="mailto:rodrigopsasaki@gmail.com">rodrigopsasaki@gmail.com</a> <mailto:<br>
> > > > rodrigopsasaki@gmail.<br>
> > > > > >>>>> com >><br>
> > > > > >>>>>>>>>> wrote:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which is why<br>
> > > > we're<br>
> > > > > >>>>> mostly<br>
> > > > > >>>>>>>>>>>>>>> migrating everything to use keycloak that way.<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> It's just that we have cases that are so specific,<br>
> > that<br>
> > > > it<br>
> > > > > >>>>> would<br>
> > > > > >>>>>>>>>>>>>>> be<br>
> > > > > >>>>>>>>>>>>>>> better to authenticate the user in a different<br>
> > manner,<br>
> > > > > >>>>> create the<br>
> > > > > >>>>>>>>>>>>>>> user session and everything, without redirecting.<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <<br>
> > > > > >>>>> <a href="mailto:bburke@redhat.com">bburke@redhat.com</a><br>
> > > > > >>>>>>>>>>>>>>> <mailto: <a href="mailto:bburke@redhat.com">bburke@redhat.com</a> >> wrote:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO, you<br>
> > are<br>
> > > > > >>>>> missing<br>
> > > > > >>>>>>>>>>>>>>> out on<br>
> > > > > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> * SSO<br>
> > > > > >>>>>>>>>>>>>>> * forgot password<br>
> > > > > >>>>>>>>>>>>>>> * admin forced credential reset/setup<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> Login pages can be styled however you like to look<br>
> > like<br>
> > > > your<br>
> > > > > >>>>>>>>>>>>>>> application.<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> There is a REST api for obtaining an access token.<br>
> > Here<br>
> > > > is<br>
> > > > > >>>>> an<br>
> > > > > >>>>>>>>>>>>>>> example:<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> <a href="https://github.com/keycloak/" target="_blank">https://github.com/keycloak/</a><br>
> > > > keycloak/blob/master/examples/<br>
> > > > > >>>>>>>>>>>>>>> demo-template/admin-access- app/src/main/java/org/<br>
> > > > > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:<br>
> > > > > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without<br>
> > having<br>
> > > > to<br>
> > > > > >>>>>>>>>>>>>>> input username<br>
> > > > > >>>>>>>>>>>>>>>> and password on the login page?<br>
> > > > > >>>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>>> For example:<br>
> > > > > >>>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>>> Say there's a situation in my application where I<br>
> > > > request<br>
> > > > > >>>>> the<br>
> > > > > >>>>>>>>>>>>>>> user for<br>
> > > > > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like to<br>
> > > > redirect<br>
> > > > > >>>>>>>>>>>>>>> that to the<br>
> > > > > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would<br>
> > there be<br>
> > > > a<br>
> > > > > >>>>> way<br>
> > > > > >>>>>>>>>>>>>>> for me to<br>
> > > > > >>>>>>>>>>>>>>>> do that?<br>
> > > > > >>>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>>>>> Rodrigo Sasaki<br>
> > > > > >>>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>>> ______________________________ _________________<br>
> > > > > >>>>>>>>>>>>>>>> keycloak-user mailing list<br>
> > > > > >>>>>>>>>>>>>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>>>>>>>>>>> <mailto: keycloak-user@lists. <a href="http://jboss.org" target="_blank">jboss.org</a> ><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>>> <a href="https://lists.jboss.org/" target="_blank">https://lists.jboss.org/</a><br>
> > mailman/listinfo/keycloak-user<br>
> > > > > >>>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>>>> Bill Burke<br>
> > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat<br>
> > > > > >>>>>>>>>>>>>>> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > > > >>>>>>>>>>>>>>> ______________________________ _________________<br>
> > > > > >>>>>>>>>>>>>>> keycloak-user mailing list<br>
> > > > > >>>>>>>>>>>>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a> <mailto:<br>
> > > > keycloak-user@lists.<br>
> > > > > >>>>>>>>>> <a href="http://jboss.org" target="_blank">jboss.org</a> ><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> <a href="https://lists.jboss.org/" target="_blank">https://lists.jboss.org/</a><br>
> > mailman/listinfo/keycloak-user<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>>>> Bill Burke<br>
> > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat<br>
> > > > > >>>>>>>>>>>>>>> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki<br>
> > > > > >>>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>>>> _______________________________________________<br>
> > > > > >>>>>>>>>>>>>>> keycloak-user mailing list<br>
> > > > > >>>>>>>>>>>>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>>>>>>>>>>><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > > > > >>>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>>>> Rodrigo Sasaki<br>
> > > > > >>>>>>>>>>>>><br>
> > > > > >>>>>>>>>>><br>
> > > > > >>>>>>>>>>> --<br>
> > > > > >>>>>>>>>>> Bill Burke<br>
> > > > > >>>>>>>>>>> JBoss, a division of Red Hat<br>
> > > > > >>>>>>>>>>> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > > > >>>>>>>>>>><br>
> > > > > >>>>>>>>>><br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>>>> --<br>
> > > > > >>>>>>>>> Rodrigo Sasaki<br>
> > > > > >>>>>>>>><br>
> > > > > >>>>>>><br>
> > > > > >>>>>>> --<br>
> > > > > >>>>>>> Bill Burke<br>
> > > > > >>>>>>> JBoss, a division of Red Hat<br>
> > > > > >>>>>>> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > > > >>>>>>><br>
> > > > > >>>>>> _______________________________________________<br>
> > > > > >>>>>> keycloak-user mailing list<br>
> > > > > >>>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > > > > >>>>>><br>
> > > > > >>>>> _______________________________________________<br>
> > > > > >>>>> keycloak-user mailing list<br>
> > > > > >>>>> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > > > > >>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
> > > > > >>>>><br>
> > > > > >>>><br>
> > > > > >>>><br>
> > > > > >>>><br>
> > > > > >>>> --<br>
> > > > > >>>> Rodrigo Sasaki<br>
> > > > > >>>><br>
> > > > > >>><br>
> > > > > >>><br>
> > > > > >>><br>
> > > > > >>> --<br>
> > > > > >>> Rodrigo Sasaki<br>
> > > > > >>><br>
> > > > > >><br>
> > > > > >><br>
> > > > > >><br>
> > > > > >> --<br>
> > > > > >> Rodrigo Sasaki<br>
> > > > > >><br>
> > > > ><br>
> > > > > --<br>
> > > > > Bill Burke<br>
> > > > > JBoss, a division of Red Hat<br>
> > > > > <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
> > > > ><br>
> > > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > --<br>
> > > Rodrigo Sasaki<br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><font face="Times New Roman">Rodrigo Sasaki</font><div></div></div>
</div>