August 2014 - keycloak-user - Jboss List Archives

Re: [keycloak-user] Unable to start Keycloak beta on AWS VM - HTTPS required

by Christina Lau

Thx. I was able to zip up my laptop version and ssh over to make it work (i.e. bring up admin console). With RHEL VMs, there is no easy way to bring up a local browser so the old defaults were more convenient for those that do dev/test in the cloud.

9 years, 8 months

4
5
0 / 0

access to IDM form java EJB

by Сергій Дзюбін

Good afternoon. My English is not very good, so just apologize. I really liked your project Keycloak. I've had a number of questions on it, in which I ask your help. So ... 1 How REST interface through JSApp create user with specified password. In my case I "PUT" reset-password and get a "Access to the specified resource has been forbidden", but without password is ok. 2 How to check in Stateless EJB which role belongs to a particular user, get his ID, etc. That access to users IDM from the business code. Thank you very much.

10 years, 4 months

2
1
0 / 0

Re: [keycloak-user] Authenticate user without using login page

by Rodrigo Sasaki

Not really I think, the thing is I wanted to use the *login_hint* feature, but I don't think it will be possible based on what you said now, is that correct? PS: added back the mailing list because I excluded it from the previous e-mail by mistake On Fri, Aug 29, 2014 at 9:12 AM, Stian Thorgersen <stian(a)redhat.com> wrote: > You can't create the login url yourself at the moment, this is because the > adapter sets a cookie to store the state variable so it can check it in the > callback. > > You can call HttpServletRequest.authenticate, which will redirect to the > login after setting the state cookie. Does that work for you? > > ----- Original Message ----- > > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com> > > To: "Stian Thorgersen" <stian(a)redhat.com> > > Sent: Friday, 29 August, 2014 1:07:22 PM > > Subject: Re: [keycloak-user] Authenticate user without using login page > > > > I'm using the JBoss AS7 adapter > > On Aug 29, 2014 3:46 AM, "Stian Thorgersen" <stian(a)redhat.com> wrote: > > > > > Which adapter are you using? > > > > > > ----- Original Message ----- > > > > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com> > > > > To: "Stian Thorgersen" <stian(a)redhat.com> > > > > Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org > > > > Sent: Thursday, 28 August, 2014 3:51:17 PM > > > > Subject: Re: [keycloak-user] Authenticate user without using login > page > > > > > > > > Coming back to this, I have a quick question. What would be the best > way > > > > for me to create a valid login URL dynamically? > > > > > > > > when we try to access a protected resource, the login page comes up, > > > > authenticates the user and it all works fine, but when I try to > > > fabricate a > > > > loginUrl to the redirect_uri that I need it to go after we encounter > some > > > > problems that I think may be related to the state variable, although > I'm > > > > not sure. I get Error 400 sometimes, which isn't very clear. > > > > > > > > Is there a guideline for this? > > > > > > > > > > > > On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <stian(a)redhat.com > > > > > wrote: > > > > > > > > > Yes, login_hint is one of the optional request parameters > supported by > > > > > OpenID Connect > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Bill Burke" <bburke(a)redhat.com> > > > > > > To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo Sasaki" < > > > > > rodrigopsasaki(a)gmail.com> > > > > > > Cc: keycloak-user(a)lists.jboss.org > > > > > > Sent: Wednesday, 30 July, 2014 2:38:32 PM > > > > > > Subject: Re: [keycloak-user] Authenticate user without using > login > > > page > > > > > > > > > > > > OpenID Connect protocol is used to implement this? > > > > > > > > > > > > On 7/30/2014 9:29 AM, Stian Thorgersen wrote: > > > > > > > Added login_hint query param. It can be used with keycloak.js > with > > > > > either: > > > > > > > > > > > > > > keycloak.login({ loginHint: 'username' }) > > > > > > > > > > > > > > or > > > > > > > > > > > > > > keycloak.createLoginUrl({ loginHint: 'username' }) > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > >> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com> > > > > > > >> To: "Stian Thorgersen" <stian(a)redhat.com> > > > > > > >> Cc: "Bill Burke" <bburke(a)redhat.com>, > > > keycloak-user(a)lists.jboss.org > > > > > > >> Sent: Friday, 25 July, 2014 6:11:47 PM > > > > > > >> Subject: Re: [keycloak-user] Authenticate user without using > login > > > > > page > > > > > > >> > > > > > > >> It all worked great with the iframe, if I style it properly > and > > > use > > > > > that > > > > > > >> login_hint it should be perfect. > > > > > > >> > > > > > > >> Now how should I go about developing/using this login_hint? > Are > > > there > > > > > any > > > > > > >> tips on this, or is it something that you plan on including > > > > > yourselves? > > > > > > >> > > > > > > >> > > > > > > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki < > > > > > rodrigopsasaki(a)gmail.com> > > > > > > >> wrote: > > > > > > >> > > > > > > >>> Just one more thing that wasn't completely clear to me. > > > > > > >>> > > > > > > >>> if I add a login page on an iframe, the user will be logged > > > > > normally? Or > > > > > > >>> would I have to get a token and keep managing it? > > > > > > >>> > > > > > > >>> > > > > > > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki > > > > > > >>> <rodrigopsasaki(a)gmail.com > > > > > > >>>> wrote: > > > > > > >>> > > > > > > >>>> That idea actually sounds amazing, I didn't look into > > > keycloak.js > > > > > yet, > > > > > > >>>> but I'll see if I can get it working before I think about > > > styling. > > > > > > >>>> > > > > > > >>>> Thank you very much! > > > > > > >>>> > > > > > > >>>> > > > > > > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen < > > > > > stian(a)redhat.com> > > > > > > >>>> wrote: > > > > > > >>>> > > > > > > >>>>> I think we could quite easily add support for embedding the > > > login > > > > > page > > > > > > >>>>> to keycloak.js. Rough idea: > > > > > > >>>>> > > > > > > >>>>> 1. Set an option on keycloak.js to use embedded login form. > > > Would > > > > > also > > > > > > >>>>> require setting an id for a div where the form should be > > > embedded. > > > > > > >>>>> 2. When clicking on login instead of redirecting it would > > > render an > > > > > > >>>>> iframe element inside the configured div with the src of > the > > > iframe > > > > > > >>>>> being > > > > > > >>>>> the login page on Keycloak > > > > > > >>>>> 3. The redirect-uri would be a special url on Keycloak that > > > > > renders a > > > > > > >>>>> similar page to the iframe session page that allows > posting a > > > > > message > > > > > > >>>>> back > > > > > > >>>>> to keycloak.js containing the code > > > > > > >>>>> 4. Now keycloak.js can swap the code as usual > > > > > > >>>>> > > > > > > >>>>> One thing is that we'd probably need an additional styling > of > > > the > > > > > login > > > > > > >>>>> form, as you would want the login page to display > differently > > > when > > > > > > >>>>> embedded > > > > > > >>>>> compared to when you redirect to it. > > > > > > >>>>> > > > > > > >>>>> ----- Original Message ----- > > > > > > >>>>>> From: "Stian Thorgersen" <stian(a)redhat.com> > > > > > > >>>>>> To: "Bill Burke" <bburke(a)redhat.com> > > > > > > >>>>>> Cc: keycloak-user(a)lists.jboss.org > > > > > > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM > > > > > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without > using > > > login > > > > > > >>>>>> page > > > > > > >>>>>> > > > > > > >>>>>> The cookies should be set fine, as the iframe would > contain > > > the > > > > > login > > > > > > >>>>> page > > > > > > >>>>>> directly from Keycloak. > > > > > > >>>>>> > > > > > > >>>>>> It would redirect to a special page on the app that after > > > > > extracting > > > > > > >>>>> the code > > > > > > >>>>>> would close the popup. > > > > > > >>>>>> > > > > > > >>>>>> ----- Original Message ----- > > > > > > >>>>>>> From: "Bill Burke" <bburke(a)redhat.com> > > > > > > >>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo > Sasaki" > > > > > > >>>>>>> <rodrigopsasaki(a)gmail.com> > > > > > > >>>>>>> Cc: keycloak-user(a)lists.jboss.org > > > > > > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM > > > > > > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without > using > > > > > login > > > > > > >>>>> page > > > > > > >>>>>>> > > > > > > >>>>>>> not sure this will work with SSO. I'm not sure CORS > > > requests can > > > > > > >>>>> deal > > > > > > >>>>>>> with cookies. > > > > > > >>>>>>> > > > > > > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote: > > > > > > >>>>>>>> What about using an iframe in the popup to include the > login > > > > > form > > > > > > >>>>> from > > > > > > >>>>>>>> Keycloak? > > > > > > >>>>>>>> > > > > > > >>>>>>>> You can send a HTTP POST to > > > > > > >>>>> /auth-server/<realm>/tokens/grants/access > > > > > > >>>>>>>> with > > > > > > >>>>>>>> client id/secret and username/password and get a token > back. > > > > > With > > > > > > >>>>>>>> keycloak.js you can give it this token, not sure how/if > this > > > > > flow > > > > > > >>>>> works > > > > > > >>>>>>>> with the server-side (Undertow) adapter. > > > > > > >>>>>>>> > > > > > > >>>>>>>> ----- Original Message ----- > > > > > > >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com> > > > > > > >>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com> > > > > > > >>>>>>>>> Cc: "Bill Burke" <bburke(a)redhat.com>, > > > > > > >>>>> keycloak-user(a)lists.jboss.org > > > > > > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM > > > > > > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without > > > using > > > > > > >>>>> login page > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> Actually, the main problem is one of the flows where > the > > > > > password > > > > > > >>>>>>>>> request > > > > > > >>>>>>>>> appears in a popup, there's no redirect at all, and > one of > > > the > > > > > > >>>>> things > > > > > > >>>>>>>>> that > > > > > > >>>>>>>>> were agreed upon when decided to change the > authentication > > > > > > >>>>> provider, was > > > > > > >>>>>>>>> that nothing would be altered in the user experience. > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> So I really have to try and make keycloak "fit in" in > these > > > > > > >>>>> particular > > > > > > >>>>>>>>> scenarios, they are not used as much as the ones where > > > we'll > > > > > use > > > > > > >>>>> the > > > > > > >>>>>>>>> keycloak login page with our own style, but I do have > to > > > make > > > > > > >>>>> them work. > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> When you say I could use direct grant to get a token, > would > > > > > that > > > > > > >>>>> count > > > > > > >>>>>>>>> as > > > > > > >>>>>>>>> the same as an user logging in? It's not really clear > to me > > > > > right > > > > > > >>>>> now > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen < > > > > > > >>>>> stian(a)redhat.com> > > > > > > >>>>>>>>> wrote: > > > > > > >>>>>>>>> > > > > > > >>>>>>>>>> Yes, but I'm wondering why the following won't work: > > > > > > >>>>>>>>>> > > > > > > >>>>>>>>>> 1. Ask for users email (in your app, not KC) > > > > > > >>>>>>>>>> 2. Once you get to the flow where a user has to login: > > > > > > >>>>>>>>>> a) If user doesn't exist in KC (you can use admin > > > > > endpoints > > > > > > >>>>> to > > > > > > >>>>>>>>>> check > > > > > > >>>>>>>>>> this) redirect to registration page on KC with email > > > already > > > > > > >>>>> entered > > > > > > >>>>>>>>>> b) If user does exist in KC redirect to login > page > > > again > > > > > > >>>>> with email > > > > > > >>>>>>>>>> already entered > > > > > > >>>>>>>>>> 3. Redirect back to app > > > > > > >>>>>>>>>> > > > > > > >>>>>>>>>> ----- Original Message ----- > > > > > > >>>>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com> > > > > > > >>>>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo > > > Sasaki" > > > > > < > > > > > > >>>>>>>>>> rodrigopsasaki(a)gmail.com> > > > > > > >>>>>>>>>>> Cc: keycloak-user(a)lists.jboss.org > > > > > > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM > > > > > > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user > without > > > using > > > > > > >>>>> login > > > > > > >>>>>>>>>>> page > > > > > > >>>>>>>>>>> > > > > > > >>>>>>>>>>> It is because their first login screen is just > something > > > > > asking > > > > > > >>>>> for an > > > > > > >>>>>>>>>>> email. If the email doesn't exist as a user, they > want a > > > > > > >>>>> redirect to > > > > > > >>>>>>>>>>> the register page. > > > > > > >>>>>>>>>>> > > > > > > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote: > > > > > > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a > token. > > > > > > >>>>>>>>>>>> > > > > > > >>>>>>>>>>>> I'd like to know why redirecting to the login form, > when > > > > > > >>>>> styled to > > > > > > >>>>>>>>>> match > > > > > > >>>>>>>>>>>> your website, and using login_hint to pre-fill > > > > > username/email > > > > > > >>>>> doesn't > > > > > > >>>>>>>>>>>> work. Maybe there's something we can do so that you > can > > > > > still > > > > > > >>>>> use the > > > > > > >>>>>>>>>>>> "proper" flow? > > > > > > >>>>>>>>>>>> > > > > > > >>>>>>>>>>>> ----- Original Message ----- > > > > > > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com> > > > > > > >>>>>>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com> > > > > > > >>>>>>>>>>>>> Cc: "Bill Burke" <bburke(a)redhat.com>, > > > > > > >>>>> keycloak-user(a)lists.jboss.org > > > > > > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM > > > > > > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user > without > > > > > using > > > > > > >>>>> login > > > > > > >>>>>>>>>> page > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's > being a > > > > > huge > > > > > > >>>>>>>>>> showstopper > > > > > > >>>>>>>>>>>>> so > > > > > > >>>>>>>>>>>>> far, I just have to ask. > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other > > > benefits > > > > > > >>>>> that the > > > > > > >>>>>>>>>>>>> Keycloak login page provides me, would there be a > way > > > for > > > > > me > > > > > > >>>>> to do > > > > > > >>>>>>>>>> what I > > > > > > >>>>>>>>>>>>> want? > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen < > > > > > > >>>>> stian(a)redhat.com> > > > > > > >>>>>>>>>>>>> wrote: > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>> We could add support for login_hint query param so > > > you can > > > > > > >>>>> have the > > > > > > >>>>>>>>>>>>>> username/email field on the login form pre-filled > for > > > the > > > > > > >>>>> user, so > > > > > > >>>>>>>>>> once a > > > > > > >>>>>>>>>>>>>> user has to authenticate you redirect to login on > KC > > > and > > > > > all > > > > > > >>>>> they > > > > > > >>>>>>>>>> would > > > > > > >>>>>>>>>>>>>> have to do is enter their password. > > > > > > >>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO, > > > > > multi-factor > > > > > > >>>>>>>>>>>>>> support, > > > > > > >>>>>>>>>>>>>> required actions, recover password, etc, etc, > etc.. > > > > > > >>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login > forms > > > > > that > > > > > > >>>>> can be > > > > > > >>>>>>>>>>>>>> templated using either just css or even FreeMarker > > > > > templates > > > > > > >>>>> if you > > > > > > >>>>>>>>>> need > > > > > > >>>>>>>>>>>>>> a > > > > > > >>>>>>>>>>>>>> lot of customization, so you should be able to > make > > > the > > > > > > >>>>> login form > > > > > > >>>>>>>>>>>>>> integrate well with your website. > > > > > > >>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>> ----- Original Message ----- > > > > > > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com > > > > > > > > >>>>>>>>>>>>>>> To: "Bill Burke" <bburke(a)redhat.com> > > > > > > >>>>>>>>>>>>>>> Cc: keycloak-user(a)lists.jboss.org > > > > > > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM > > > > > > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user > > > without > > > > > > >>>>> using login > > > > > > >>>>>>>>>> page > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> You think there could be a way to do this within > > > keycloak > > > > > > >>>>> itself? > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki < > > > > > > >>>>>>>>>>>>>> rodrigopsasaki(a)gmail.com > > > > > > > >>>>>>>>>>>>>>> wrote: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> I'll give you an example: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> We have a situation in our website where we only > ask > > > for > > > > > the > > > > > > >>>>>>>>>>>>>>> user's > > > > > > >>>>>>>>>>>>>> e-mail, > > > > > > >>>>>>>>>>>>>>> and he can go on with the flow. > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify > that > > > > > this > > > > > > >>>>> is an > > > > > > >>>>>>>>>> e-mail > > > > > > >>>>>>>>>>>>>> that > > > > > > >>>>>>>>>>>>>>> we already have in our user database, we ask him > for > > > his > > > > > > >>>>> password, > > > > > > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this > e-mail > > > is > > > > > new, > > > > > > >>>>> we > > > > > > >>>>>>>>>> redirect > > > > > > >>>>>>>>>>>>>> him > > > > > > >>>>>>>>>>>>>>> to a page where he can register himself, and > after > > > that > > > > > > >>>>> continue > > > > > > >>>>>>>>>>>>>>> on. > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't > like to > > > > > have > > > > > > >>>>> to > > > > > > >>>>>>>>>> redirect > > > > > > >>>>>>>>>>>>>> him to > > > > > > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow > that > > > we > > > > > > >>>>> designed. > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke < > > > > > > >>>>> bburke(a)redhat.com > > > > > > > >>>>>>>>>> wrote: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/ > > > > > > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> If you have to do it this way, please let us know > > > why. > > > > > > >>>>> Maybe we > > > > > > >>>>>>>>>>>>>>> can > > > > > > >>>>>>>>>>>>>> solve the > > > > > > >>>>>>>>>>>>>>> issue within keycloak itself. > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want > to > > > > > handle > > > > > > >>>>> my own > > > > > > >>>>>>>>>> login > > > > > > >>>>>>>>>>>>>>> page, would there be a way for me to do it? > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki > > > > > > >>>>>>>>>>>>>>> < rodrigopsasaki(a)gmail.com <mailto: > > > > > rodrigopsasaki@gmail. > > > > > > >>>>> com >> > > > > > > >>>>>>>>>> wrote: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which > is why > > > > > we're > > > > > > >>>>> mostly > > > > > > >>>>>>>>>>>>>>> migrating everything to use keycloak that way. > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> It's just that we have cases that are so > specific, > > > that > > > > > it > > > > > > >>>>> would > > > > > > >>>>>>>>>>>>>>> be > > > > > > >>>>>>>>>>>>>>> better to authenticate the user in a different > > > manner, > > > > > > >>>>> create the > > > > > > >>>>>>>>>>>>>>> user session and everything, without redirecting. > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks! > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke < > > > > > > >>>>> bburke(a)redhat.com > > > > > > >>>>>>>>>>>>>>> <mailto: bburke(a)redhat.com >> wrote: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO, > you > > > are > > > > > > >>>>> missing > > > > > > >>>>>>>>>>>>>>> out on > > > > > > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> * SSO > > > > > > >>>>>>>>>>>>>>> * forgot password > > > > > > >>>>>>>>>>>>>>> * admin forced credential reset/setup > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> Login pages can be styled however you like to > look > > > like > > > > > your > > > > > > >>>>>>>>>>>>>>> application. > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> There is a REST api for obtaining an access > token. > > > Here > > > > > is > > > > > > >>>>> an > > > > > > >>>>>>>>>>>>>>> example: > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> https://github.com/keycloak/ > > > > > keycloak/blob/master/examples/ > > > > > > >>>>>>>>>>>>>>> demo-template/admin-access- > app/src/main/java/org/ > > > > > > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote: > > > > > > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without > > > having > > > > > to > > > > > > >>>>>>>>>>>>>>> input username > > > > > > >>>>>>>>>>>>>>>> and password on the login page? > > > > > > >>>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>>> For example: > > > > > > >>>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>>> Say there's a situation in my application where > I > > > > > request > > > > > > >>>>> the > > > > > > >>>>>>>>>>>>>>> user for > > > > > > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like > to > > > > > redirect > > > > > > >>>>>>>>>>>>>>> that to the > > > > > > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would > > > there be > > > > > a > > > > > > >>>>> way > > > > > > >>>>>>>>>>>>>>> for me to > > > > > > >>>>>>>>>>>>>>>> do that? > > > > > > >>>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>>>>> Rodrigo Sasaki > > > > > > >>>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>>> ______________________________ _________________ > > > > > > >>>>>>>>>>>>>>>> keycloak-user mailing list > > > > > > >>>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org > > > > > > >>>>>>>>>>>>>>> <mailto: keycloak-user@lists. jboss.org > > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>>> https://lists.jboss.org/ > > > mailman/listinfo/keycloak-user > > > > > > >>>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>>>> Bill Burke > > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat > > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com > > > > > > >>>>>>>>>>>>>>> ______________________________ _________________ > > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list > > > > > > >>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org <mailto: > > > > > keycloak-user@lists. > > > > > > >>>>>>>>>> jboss.org > > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> https://lists.jboss.org/ > > > mailman/listinfo/keycloak-user > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>>>> Bill Burke > > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat > > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki > > > > > > >>>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>>>> _______________________________________________ > > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list > > > > > > >>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org > > > > > > >>>>>>>>>>>>>>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > >>>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>>>> -- > > > > > > >>>>>>>>>>>>> Rodrigo Sasaki > > > > > > >>>>>>>>>>>>> > > > > > > >>>>>>>>>>> > > > > > > >>>>>>>>>>> -- > > > > > > >>>>>>>>>>> Bill Burke > > > > > > >>>>>>>>>>> JBoss, a division of Red Hat > > > > > > >>>>>>>>>>> http://bill.burkecentral.com > > > > > > >>>>>>>>>>> > > > > > > >>>>>>>>>> > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> > > > > > > >>>>>>>>> -- > > > > > > >>>>>>>>> Rodrigo Sasaki > > > > > > >>>>>>>>> > > > > > > >>>>>>> > > > > > > >>>>>>> -- > > > > > > >>>>>>> Bill Burke > > > > > > >>>>>>> JBoss, a division of Red Hat > > > > > > >>>>>>> http://bill.burkecentral.com > > > > > > >>>>>>> > > > > > > >>>>>> _______________________________________________ > > > > > > >>>>>> keycloak-user mailing list > > > > > > >>>>>> keycloak-user(a)lists.jboss.org > > > > > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > >>>>>> > > > > > > >>>>> _______________________________________________ > > > > > > >>>>> keycloak-user mailing list > > > > > > >>>>> keycloak-user(a)lists.jboss.org > > > > > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > >>>>> > > > > > > >>>> > > > > > > >>>> > > > > > > >>>> > > > > > > >>>> -- > > > > > > >>>> Rodrigo Sasaki > > > > > > >>>> > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>> -- > > > > > > >>> Rodrigo Sasaki > > > > > > >>> > > > > > > >> > > > > > > >> > > > > > > >> > > > > > > >> -- > > > > > > >> Rodrigo Sasaki > > > > > > >> > > > > > > > > > > > > -- > > > > > > Bill Burke > > > > > > JBoss, a division of Red Hat > > > > > > http://bill.burkecentral.com > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Rodrigo Sasaki > > > > > > > > > > -- Rodrigo Sasaki

10 years, 4 months

2
1
0 / 0

Fwd: Documentation question

by Alarik Myrin

I am trying to understand this sentence from section 2.2.1 of the User Guide: "The role mappings contained within the token are the union between the set of user role mappings and the permission scope of the application/oauth client." See: http://docs.jboss.org/keycloak/docs/1.0-rc-1/userguide/html/Overview.html... Should this perhaps read the "intersection between" rather than the "union between"? I guess I am trying to understand if it is the union of the two sets or the intersection between the two sets. My guess, based on the rest of the paragraph, is that it is the intersection between the two sets. Thanks, Alarik

10 years, 4 months

2
1
0 / 0

SAML Support

by Evan Thompson

Howdy, I've seen on the Keycloak website that there are plans to support SAML and there is a JIRA ticket (KEYCLOAK-315 <https://issues.jboss.org/browse/KEYCLOAK-315>) that lists the fix version of 1.1-beta-1. I was wondering if this is firm deadline or just a rough estimate. Thank you for your time, Evan

10 years, 4 months

3
2
0 / 0

Email verified doesn't seem to work using REST API

by Christina Lau

Hi, I have my realm enabled for email verification. When I registered a new user using the UI dialog, the user gets an email notification. However, if I use the REST API to create a new user, even though I set emailVerified to true, the new user that gets added correctly didn’t get an email notification. Is there an additional REST API I need to call? I can’t find that in the doc. Or is this supposed to be implicit and in that case a bug? Or am I missing some more setup? Thx… Christina

10 years, 4 months

2
3
0 / 0

Authenticate user without using login page

by Rodrigo Sasaki

Is there a way to authenticate the user without having to input username and password on the login page? For example: Say there's a situation in my application where I request the user for his username and password, and I wouldn't like to redirect that to the keycloak login page to authenticate him, would there be a way for me to do that? -- Rodrigo Sasaki

10 years, 4 months

3
27
0 / 0

Password Hashing

by Evan Thompson

Howdy, I've been looking into Keycloak and have a question in regards to password hashing. I came across a closed JIRA item that discusses supporting bcrypt, but the comments just state that improved password hashing has already been added. I guess my question is what exactly does Keycloak provide/support in terms of password encryption and is it configurable. Cheers, Evan

10 years, 4 months

2
3
0 / 0

Re: [keycloak-user] I have tried everything

by Dean Peterson

Ok, I figured it out. I just replaced java:jboss/datasources/KeycloakDS with my own settings rather than create a new jndi datasource with a different name. In the past I was able to change the jndi name to java:jboss/datasources/ui_users and make a few updates to persistence.xml. The new way is arguably easier. Now that I know to just replace KeycloakDS with my own settings I do not need to change anything else. Am I correct in assuming this is how things work going forward? It seems I cannot delete ExampleDS either without causing problems though. The current documentation is also misleading.

10 years, 4 months

2
3
0 / 0

1.0 RC 1 released

by Bill Burke

We're getting closer to 1.0.Final and are still scheduled for a final release 2nd week of September. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 4 months

3
3
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2014