Re: [keycloak-user] Multitenancy for WAR
by Travis De Silva
Hi Stian,
You proposed solution would not cover the use case where we can create
tenants at runtime as the realm config in the keycloak.json would be hard
coded into the war.
I had discussed this identical use case a while ago on this forum and Bill
was planning to refactor the adapters to support this use case.
Unfortunately he got caught up in other tasks and was not able to proceed
on this.
The discussion thread is here
http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html
Basically what I believe Bill suggested which would meet this use case is
to:
1. Have a shared secret between clients for all realms.
2. The adapter would just extract the realm name from the request,
invoke on the keycloak server to get the public information about the realm
(i.e. public key) and then cache the information locally.
The key bit here is extracting the realm name from the request and then
pulling the realm info from the keycloak server.
I had a look at the keycloak source code and I believe the magic happens in
the KeycloakServletExtension class under the org.keycloak.adapters.undertow
package for my use case (since I deploy it on wildfly)
What I have got stumped is that this class gets loaded when my war is
deployed and I am wondering how I can do it per request (if the info is not
already cached locally)
Maybe with the imminent release of 1.0 (btw congrats for the great work to
everyone in the team and for Bill and your leadership), maybe we should
start thinking about this multi tenancy use case to be included in future
releases.
I believe that SaaS models are going to be popular and having this feature
added will make keycloak a major player in this space.
Cheers
Travis
9 years, 8 months
Cancel button on JBoss 7 triggering Status 400
by Rodrigo Sasaki
I was testing keycloak and I came across something weird.
I try to access a protected resource, so I get redirected to the Keycloak
login page, if I hit cancel without doing anything, I get a response with
status 400 and a query param appears like this:
*error=access_denied*
The same does not happen on Wildfly.
Should I open a JIRA for this?
--
Rodrigo Sasaki
9 years, 8 months
Problem starting up 1.0-rc-2 using 1.0-rc-1 compatible SQL schema
by Alarik Myrin
I am using Wildfly 8.0.0-Final and Postgres 9.3.5. When I try to start up
1.0-rc-2 and point to a schema that worked with 1.0-rc-1, I get the
following:
Caused by: org.keycloak.models.ModelException:
javax.persistence.PersistenceException:
org.hibernate.PropertyAccessException: Null value was assigned to a
property of primitive type setter of
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:44)
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)
at com.sun.proxy.$Proxy53.find(Unknown Source)
at
org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:51)
at
org.keycloak.models.cache.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:173)
at
org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:42)
at
org.keycloak.services.managers.ApplianceBootstrap.bootstrap(ApplianceBootstrap.java:33)
at
org.keycloak.services.resources.KeycloakApplication.setupDefaultRealm(KeycloakApplication.java:137)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:86)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[rt.jar:1.8.0_05]
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[rt.jar:1.8.0_05]
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.8.0_05]
at java.lang.reflect.Constructor.newInstance(Constructor.java:408)
[rt.jar:1.8.0_05]
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
... 15 more
Caused by: javax.persistence.PersistenceException:
org.hibernate.PropertyAccessException: Null value was assigned to a
property of primitive type setter of
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1694)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1141)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1068)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.8.0_05]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_05]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_05]
at java.lang.reflect.Method.invoke(Method.java:483) [rt.jar:1.8.0_05]
at
org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)
... 27 more
Caused by: org.hibernate.PropertyAccessException: Null value was assigned
to a property of primitive type setter of
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled
at
org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:126)
at
org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713)
at
org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:362)
at
org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4712)
at
org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:188)
at
org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:144)
at
org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:244)
at
org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:215)
at
org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:140)
at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:138)
at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:102)
at
org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:186)
at
org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4120)
at
org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:502)
at
org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:467)
at
org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:212)
at
org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:274)
at
org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:150)
at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1066)
at org.hibernate.internal.SessionImpl.access$2000(SessionImpl.java:176)
at
org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2540)
at org.hibernate.internal.SessionImpl.get(SessionImpl.java:951)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1110)
... 33 more
Caused by: java.lang.IllegalArgumentException: Can not set boolean field
org.keycloak.models.jpa.entities.RealmEntity.eventsEnabled to null value
at
sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
[rt.jar:1.8.0_05]
at
sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
[rt.jar:1.8.0_05]
at
sun.reflect.UnsafeBooleanFieldAccessorImpl.set(UnsafeBooleanFieldAccessorImpl.java:80)
[rt.jar:1.8.0_05]
at java.lang.reflect.Field.set(Field.java:758) [rt.jar:1.8.0_05]
at
org.hibernate.property.DirectPropertyAccessor$DirectSetter.set(DirectPropertyAccessor.java:122)
... 55 more
If I start from an empty schema, I don't see this problem. This isn't a
killer for me for now, but just thought I would bring it up.
Alarik
9 years, 8 months
Find by email not working?
by Rodrigo Sasaki
Hello,
I have a method in my project that finds users by e-mail using the REST API
on
*/realms/{realm}/users?email=...*
It used to work fine, but I upgrated to RC1 and it stopped working, I tried
debugging it but it doesn't seem to stop on my breakpoint inside the
*JpaUserProvider* class.
It simply returns nothing, with valid calls and a valid e-mail that I know
exists.
Is this a known bug?
--
Rodrigo Sasaki
9 years, 8 months
access to IDM form java EJB
by Сергій Дзюбін
Good afternoon.
My English is not very good, so just apologize. I really liked your project
Keycloak. I've had a number of questions on it, in which I ask your help.
So ...
1 How REST interface through JSApp create user with specified password. In
my case I "PUT" reset-password and get a "Access to the specified resource
has been forbidden", but without password is ok.
2 How to check in Stateless EJB which role belongs to a particular user,
get his ID, etc. That access to users IDM from the business code.
Thank you very much.
9 years, 8 months
Keycloak 1.0 RC 2 Released
by Stian Thorgersen
This will be the last release candidate before we release 1.0 final in just two weeks! So, there’s no new exiting features in this release, only a few bug fixes.
9 years, 8 months
Re: [keycloak-user] Authenticate user without using login page
by Rodrigo Sasaki
Not really I think, the thing is I wanted to use the *login_hint* feature,
but I don't think it will be possible based on what you said now, is that
correct?
PS: added back the mailing list because I excluded it from the previous
e-mail by mistake
On Fri, Aug 29, 2014 at 9:12 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
> You can't create the login url yourself at the moment, this is because the
> adapter sets a cookie to store the state variable so it can check it in the
> callback.
>
> You can call HttpServletRequest.authenticate, which will redirect to the
> login after setting the state cookie. Does that work for you?
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>
> > Sent: Friday, 29 August, 2014 1:07:22 PM
> > Subject: Re: [keycloak-user] Authenticate user without using login page
> >
> > I'm using the JBoss AS7 adapter
> > On Aug 29, 2014 3:46 AM, "Stian Thorgersen" <stian(a)redhat.com> wrote:
> >
> > > Which adapter are you using?
> > >
> > > ----- Original Message -----
> > > > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > > > To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
> > > > Sent: Thursday, 28 August, 2014 3:51:17 PM
> > > > Subject: Re: [keycloak-user] Authenticate user without using login
> page
> > > >
> > > > Coming back to this, I have a quick question. What would be the best
> way
> > > > for me to create a valid login URL dynamically?
> > > >
> > > > when we try to access a protected resource, the login page comes up,
> > > > authenticates the user and it all works fine, but when I try to
> > > fabricate a
> > > > loginUrl to the redirect_uri that I need it to go after we encounter
> some
> > > > problems that I think may be related to the state variable, although
> I'm
> > > > not sure. I get Error 400 sometimes, which isn't very clear.
> > > >
> > > > Is there a guideline for this?
> > > >
> > > >
> > > > On Wed, Jul 30, 2014 at 10:48 AM, Stian Thorgersen <stian(a)redhat.com
> >
> > > wrote:
> > > >
> > > > > Yes, login_hint is one of the optional request parameters
> supported by
> > > > > OpenID Connect
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Bill Burke" <bburke(a)redhat.com>
> > > > > > To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo Sasaki" <
> > > > > rodrigopsasaki(a)gmail.com>
> > > > > > Cc: keycloak-user(a)lists.jboss.org
> > > > > > Sent: Wednesday, 30 July, 2014 2:38:32 PM
> > > > > > Subject: Re: [keycloak-user] Authenticate user without using
> login
> > > page
> > > > > >
> > > > > > OpenID Connect protocol is used to implement this?
> > > > > >
> > > > > > On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> > > > > > > Added login_hint query param. It can be used with keycloak.js
> with
> > > > > either:
> > > > > > >
> > > > > > > keycloak.login({ loginHint: 'username' })
> > > > > > >
> > > > > > > or
> > > > > > >
> > > > > > > keycloak.createLoginUrl({ loginHint: 'username' })
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > >> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > > > > > >> To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > > >> Cc: "Bill Burke" <bburke(a)redhat.com>,
> > > keycloak-user(a)lists.jboss.org
> > > > > > >> Sent: Friday, 25 July, 2014 6:11:47 PM
> > > > > > >> Subject: Re: [keycloak-user] Authenticate user without using
> login
> > > > > page
> > > > > > >>
> > > > > > >> It all worked great with the iframe, if I style it properly
> and
> > > use
> > > > > that
> > > > > > >> login_hint it should be perfect.
> > > > > > >>
> > > > > > >> Now how should I go about developing/using this login_hint?
> Are
> > > there
> > > > > any
> > > > > > >> tips on this, or is it something that you plan on including
> > > > > yourselves?
> > > > > > >>
> > > > > > >>
> > > > > > >> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <
> > > > > rodrigopsasaki(a)gmail.com>
> > > > > > >> wrote:
> > > > > > >>
> > > > > > >>> Just one more thing that wasn't completely clear to me.
> > > > > > >>>
> > > > > > >>> if I add a login page on an iframe, the user will be logged
> > > > > normally? Or
> > > > > > >>> would I have to get a token and keep managing it?
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
> > > > > > >>> <rodrigopsasaki(a)gmail.com
> > > > > > >>>> wrote:
> > > > > > >>>
> > > > > > >>>> That idea actually sounds amazing, I didn't look into
> > > keycloak.js
> > > > > yet,
> > > > > > >>>> but I'll see if I can get it working before I think about
> > > styling.
> > > > > > >>>>
> > > > > > >>>> Thank you very much!
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <
> > > > > stian(a)redhat.com>
> > > > > > >>>> wrote:
> > > > > > >>>>
> > > > > > >>>>> I think we could quite easily add support for embedding the
> > > login
> > > > > page
> > > > > > >>>>> to keycloak.js. Rough idea:
> > > > > > >>>>>
> > > > > > >>>>> 1. Set an option on keycloak.js to use embedded login form.
> > > Would
> > > > > also
> > > > > > >>>>> require setting an id for a div where the form should be
> > > embedded.
> > > > > > >>>>> 2. When clicking on login instead of redirecting it would
> > > render an
> > > > > > >>>>> iframe element inside the configured div with the src of
> the
> > > iframe
> > > > > > >>>>> being
> > > > > > >>>>> the login page on Keycloak
> > > > > > >>>>> 3. The redirect-uri would be a special url on Keycloak that
> > > > > renders a
> > > > > > >>>>> similar page to the iframe session page that allows
> posting a
> > > > > message
> > > > > > >>>>> back
> > > > > > >>>>> to keycloak.js containing the code
> > > > > > >>>>> 4. Now keycloak.js can swap the code as usual
> > > > > > >>>>>
> > > > > > >>>>> One thing is that we'd probably need an additional styling
> of
> > > the
> > > > > login
> > > > > > >>>>> form, as you would want the login page to display
> differently
> > > when
> > > > > > >>>>> embedded
> > > > > > >>>>> compared to when you redirect to it.
> > > > > > >>>>>
> > > > > > >>>>> ----- Original Message -----
> > > > > > >>>>>> From: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > > >>>>>> To: "Bill Burke" <bburke(a)redhat.com>
> > > > > > >>>>>> Cc: keycloak-user(a)lists.jboss.org
> > > > > > >>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
> > > > > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without
> using
> > > login
> > > > > > >>>>>> page
> > > > > > >>>>>>
> > > > > > >>>>>> The cookies should be set fine, as the iframe would
> contain
> > > the
> > > > > login
> > > > > > >>>>> page
> > > > > > >>>>>> directly from Keycloak.
> > > > > > >>>>>>
> > > > > > >>>>>> It would redirect to a special page on the app that after
> > > > > extracting
> > > > > > >>>>> the code
> > > > > > >>>>>> would close the popup.
> > > > > > >>>>>>
> > > > > > >>>>>> ----- Original Message -----
> > > > > > >>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
> > > > > > >>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo
> Sasaki"
> > > > > > >>>>>>> <rodrigopsasaki(a)gmail.com>
> > > > > > >>>>>>> Cc: keycloak-user(a)lists.jboss.org
> > > > > > >>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
> > > > > > >>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> using
> > > > > login
> > > > > > >>>>> page
> > > > > > >>>>>>>
> > > > > > >>>>>>> not sure this will work with SSO. I'm not sure CORS
> > > requests can
> > > > > > >>>>> deal
> > > > > > >>>>>>> with cookies.
> > > > > > >>>>>>>
> > > > > > >>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > > > > > >>>>>>>> What about using an iframe in the popup to include the
> login
> > > > > form
> > > > > > >>>>> from
> > > > > > >>>>>>>> Keycloak?
> > > > > > >>>>>>>>
> > > > > > >>>>>>>> You can send a HTTP POST to
> > > > > > >>>>> /auth-server/<realm>/tokens/grants/access
> > > > > > >>>>>>>> with
> > > > > > >>>>>>>> client id/secret and username/password and get a token
> back.
> > > > > With
> > > > > > >>>>>>>> keycloak.js you can give it this token, not sure how/if
> this
> > > > > flow
> > > > > > >>>>> works
> > > > > > >>>>>>>> with the server-side (Undertow) adapter.
> > > > > > >>>>>>>>
> > > > > > >>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > > > > > >>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > > >>>>>>>>> Cc: "Bill Burke" <bburke(a)redhat.com>,
> > > > > > >>>>> keycloak-user(a)lists.jboss.org
> > > > > > >>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
> > > > > > >>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > > using
> > > > > > >>>>> login page
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> Actually, the main problem is one of the flows where
> the
> > > > > password
> > > > > > >>>>>>>>> request
> > > > > > >>>>>>>>> appears in a popup, there's no redirect at all, and
> one of
> > > the
> > > > > > >>>>> things
> > > > > > >>>>>>>>> that
> > > > > > >>>>>>>>> were agreed upon when decided to change the
> authentication
> > > > > > >>>>> provider, was
> > > > > > >>>>>>>>> that nothing would be altered in the user experience.
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> So I really have to try and make keycloak "fit in" in
> these
> > > > > > >>>>> particular
> > > > > > >>>>>>>>> scenarios, they are not used as much as the ones where
> > > we'll
> > > > > use
> > > > > > >>>>> the
> > > > > > >>>>>>>>> keycloak login page with our own style, but I do have
> to
> > > make
> > > > > > >>>>> them work.
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> When you say I could use direct grant to get a token,
> would
> > > > > that
> > > > > > >>>>> count
> > > > > > >>>>>>>>> as
> > > > > > >>>>>>>>> the same as an user logging in? It's not really clear
> to me
> > > > > right
> > > > > > >>>>> now
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> > > > > > >>>>> stian(a)redhat.com>
> > > > > > >>>>>>>>> wrote:
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>> Yes, but I'm wondering why the following won't work:
> > > > > > >>>>>>>>>>
> > > > > > >>>>>>>>>> 1. Ask for users email (in your app, not KC)
> > > > > > >>>>>>>>>> 2. Once you get to the flow where a user has to login:
> > > > > > >>>>>>>>>> a) If user doesn't exist in KC (you can use admin
> > > > > endpoints
> > > > > > >>>>> to
> > > > > > >>>>>>>>>> check
> > > > > > >>>>>>>>>> this) redirect to registration page on KC with email
> > > already
> > > > > > >>>>> entered
> > > > > > >>>>>>>>>> b) If user does exist in KC redirect to login
> page
> > > again
> > > > > > >>>>> with email
> > > > > > >>>>>>>>>> already entered
> > > > > > >>>>>>>>>> 3. Redirect back to app
> > > > > > >>>>>>>>>>
> > > > > > >>>>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
> > > > > > >>>>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo
> > > Sasaki"
> > > > > <
> > > > > > >>>>>>>>>> rodrigopsasaki(a)gmail.com>
> > > > > > >>>>>>>>>>> Cc: keycloak-user(a)lists.jboss.org
> > > > > > >>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > > > > > >>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> without
> > > using
> > > > > > >>>>> login
> > > > > > >>>>>>>>>>> page
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>> It is because their first login screen is just
> something
> > > > > asking
> > > > > > >>>>> for an
> > > > > > >>>>>>>>>>> email. If the email doesn't exist as a user, they
> want a
> > > > > > >>>>> redirect to
> > > > > > >>>>>>>>>>> the register page.
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > > > > > >>>>>>>>>>>> Yes, you can use the direct grant to retrieve a
> token.
> > > > > > >>>>>>>>>>>>
> > > > > > >>>>>>>>>>>> I'd like to know why redirecting to the login form,
> when
> > > > > > >>>>> styled to
> > > > > > >>>>>>>>>> match
> > > > > > >>>>>>>>>>>> your website, and using login_hint to pre-fill
> > > > > username/email
> > > > > > >>>>> doesn't
> > > > > > >>>>>>>>>>>> work. Maybe there's something we can do so that you
> can
> > > > > still
> > > > > > >>>>> use the
> > > > > > >>>>>>>>>>>> "proper" flow?
> > > > > > >>>>>>>>>>>>
> > > > > > >>>>>>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > > > > > >>>>>>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
> > > > > > >>>>>>>>>>>>> Cc: "Bill Burke" <bburke(a)redhat.com>,
> > > > > > >>>>> keycloak-user(a)lists.jboss.org
> > > > > > >>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > > > > > >>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> without
> > > > > using
> > > > > > >>>>> login
> > > > > > >>>>>>>>>> page
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> Sorry to keep insisting on this, but since it's
> being a
> > > > > huge
> > > > > > >>>>>>>>>> showstopper
> > > > > > >>>>>>>>>>>>> so
> > > > > > >>>>>>>>>>>>> far, I just have to ask.
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> If I don't mind trading off SSO and all the other
> > > benefits
> > > > > > >>>>> that the
> > > > > > >>>>>>>>>>>>> Keycloak login page provides me, would there be a
> way
> > > for
> > > > > me
> > > > > > >>>>> to do
> > > > > > >>>>>>>>>> what I
> > > > > > >>>>>>>>>>>>> want?
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> > > > > > >>>>> stian(a)redhat.com>
> > > > > > >>>>>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> We could add support for login_hint query param so
> > > you can
> > > > > > >>>>> have the
> > > > > > >>>>>>>>>>>>>> username/email field on the login form pre-filled
> for
> > > the
> > > > > > >>>>> user, so
> > > > > > >>>>>>>>>> once a
> > > > > > >>>>>>>>>>>>>> user has to authenticate you redirect to login on
> KC
> > > and
> > > > > all
> > > > > > >>>>> they
> > > > > > >>>>>>>>>> would
> > > > > > >>>>>>>>>>>>>> have to do is enter their password.
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO,
> > > > > multi-factor
> > > > > > >>>>>>>>>>>>>> support,
> > > > > > >>>>>>>>>>>>>> required actions, recover password, etc, etc,
> etc..
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> As Bill mentioned we provide very flexible login
> forms
> > > > > that
> > > > > > >>>>> can be
> > > > > > >>>>>>>>>>>>>> templated using either just css or even FreeMarker
> > > > > templates
> > > > > > >>>>> if you
> > > > > > >>>>>>>>>> need
> > > > > > >>>>>>>>>>>>>> a
> > > > > > >>>>>>>>>>>>>> lot of customization, so you should be able to
> make
> > > the
> > > > > > >>>>> login form
> > > > > > >>>>>>>>>>>>>> integrate well with your website.
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>> ----- Original Message -----
> > > > > > >>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com
> >
> > > > > > >>>>>>>>>>>>>>> To: "Bill Burke" <bburke(a)redhat.com>
> > > > > > >>>>>>>>>>>>>>> Cc: keycloak-user(a)lists.jboss.org
> > > > > > >>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > > > > > >>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
> > > without
> > > > > > >>>>> using login
> > > > > > >>>>>>>>>> page
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> You think there could be a way to do this within
> > > keycloak
> > > > > > >>>>> itself?
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > > > > > >>>>>>>>>>>>>> rodrigopsasaki(a)gmail.com >
> > > > > > >>>>>>>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> I'll give you an example:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> We have a situation in our website where we only
> ask
> > > for
> > > > > the
> > > > > > >>>>>>>>>>>>>>> user's
> > > > > > >>>>>>>>>>>>>> e-mail,
> > > > > > >>>>>>>>>>>>>>> and he can go on with the flow.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On a determined step of the flow, if we identify
> that
> > > > > this
> > > > > > >>>>> is an
> > > > > > >>>>>>>>>> e-mail
> > > > > > >>>>>>>>>>>>>> that
> > > > > > >>>>>>>>>>>>>>> we already have in our user database, we ask him
> for
> > > his
> > > > > > >>>>> password,
> > > > > > >>>>>>>>>>>>>>> authenticate him, and let him go on, if this
> e-mail
> > > is
> > > > > new,
> > > > > > >>>>> we
> > > > > > >>>>>>>>>> redirect
> > > > > > >>>>>>>>>>>>>> him
> > > > > > >>>>>>>>>>>>>>> to a page where he can register himself, and
> after
> > > that
> > > > > > >>>>> continue
> > > > > > >>>>>>>>>>>>>>> on.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On this specific case and others, we wouldn't
> like to
> > > > > have
> > > > > > >>>>> to
> > > > > > >>>>>>>>>> redirect
> > > > > > >>>>>>>>>>>>>> him to
> > > > > > >>>>>>>>>>>>>>> keycloak, because that would interrupt the flow
> that
> > > we
> > > > > > >>>>> designed.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> > > > > > >>>>> bburke(a)redhat.com >
> > > > > > >>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > > > > > >>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> If you have to do it this way, please let us know
> > > why.
> > > > > > >>>>> Maybe we
> > > > > > >>>>>>>>>>>>>>> can
> > > > > > >>>>>>>>>>>>>> solve the
> > > > > > >>>>>>>>>>>>>>> issue within keycloak itself.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> Just for the sake of conversation, if I did want
> to
> > > > > handle
> > > > > > >>>>> my own
> > > > > > >>>>>>>>>> login
> > > > > > >>>>>>>>>>>>>>> page, would there be a way for me to do it?
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>> < rodrigopsasaki(a)gmail.com <mailto:
> > > > > rodrigopsasaki@gmail.
> > > > > > >>>>> com >>
> > > > > > >>>>>>>>>> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> I don't want to miss out on all of that, which
> is why
> > > > > we're
> > > > > > >>>>> mostly
> > > > > > >>>>>>>>>>>>>>> migrating everything to use keycloak that way.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> It's just that we have cases that are so
> specific,
> > > that
> > > > > it
> > > > > > >>>>> would
> > > > > > >>>>>>>>>>>>>>> be
> > > > > > >>>>>>>>>>>>>>> better to authenticate the user in a different
> > > manner,
> > > > > > >>>>> create the
> > > > > > >>>>>>>>>>>>>>> user session and everything, without redirecting.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> > > > > > >>>>> bburke(a)redhat.com
> > > > > > >>>>>>>>>>>>>>> <mailto: bburke(a)redhat.com >> wrote:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> If you want to handle your own login pages, IMO,
> you
> > > are
> > > > > > >>>>> missing
> > > > > > >>>>>>>>>>>>>>> out on
> > > > > > >>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> * SSO
> > > > > > >>>>>>>>>>>>>>> * forgot password
> > > > > > >>>>>>>>>>>>>>> * admin forced credential reset/setup
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> Login pages can be styled however you like to
> look
> > > like
> > > > > your
> > > > > > >>>>>>>>>>>>>>> application.
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> There is a REST api for obtaining an access
> token.
> > > Here
> > > > > is
> > > > > > >>>>> an
> > > > > > >>>>>>>>>>>>>>> example:
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> https://github.com/keycloak/
> > > > > keycloak/blob/master/examples/
> > > > > > >>>>>>>>>>>>>>> demo-template/admin-access-
> app/src/main/java/org/
> > > > > > >>>>>>>>>>>>>>> keycloak/example/AdminClient. java
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > > > > > >>>>>>>>>>>>>>>> Is there a way to authenticate the user without
> > > having
> > > > > to
> > > > > > >>>>>>>>>>>>>>> input username
> > > > > > >>>>>>>>>>>>>>>> and password on the login page?
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> For example:
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> Say there's a situation in my application where
> I
> > > > > request
> > > > > > >>>>> the
> > > > > > >>>>>>>>>>>>>>> user for
> > > > > > >>>>>>>>>>>>>>>> his username and password, and I wouldn't like
> to
> > > > > redirect
> > > > > > >>>>>>>>>>>>>>> that to the
> > > > > > >>>>>>>>>>>>>>>> keycloak login page to authenticate him, would
> > > there be
> > > > > a
> > > > > > >>>>> way
> > > > > > >>>>>>>>>>>>>>> for me to
> > > > > > >>>>>>>>>>>>>>>> do that?
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > >>>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > >>>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
> > > > > > >>>>>>>>>>>>>>> <mailto: keycloak-user@lists. jboss.org >
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>> https://lists.jboss.org/
> > > mailman/listinfo/keycloak-user
> > > > > > >>>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>>>>>>>>> ______________________________ _________________
> > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > >>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org <mailto:
> > > > > keycloak-user@lists.
> > > > > > >>>>>>>>>> jboss.org >
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> https://lists.jboss.org/
> > > mailman/listinfo/keycloak-user
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Bill Burke
> > > > > > >>>>>>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>>>>>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>>> _______________________________________________
> > > > > > >>>>>>>>>>>>>>> keycloak-user mailing list
> > > > > > >>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
> > > > > > >>>>>>>>>>>>>>>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >>>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>>> --
> > > > > > >>>>>>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>>>>>
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>> --
> > > > > > >>>>>>>>>>> Bill Burke
> > > > > > >>>>>>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>>>>>
> > > > > > >>>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>>> --
> > > > > > >>>>>>>>> Rodrigo Sasaki
> > > > > > >>>>>>>>>
> > > > > > >>>>>>>
> > > > > > >>>>>>> --
> > > > > > >>>>>>> Bill Burke
> > > > > > >>>>>>> JBoss, a division of Red Hat
> > > > > > >>>>>>> http://bill.burkecentral.com
> > > > > > >>>>>>>
> > > > > > >>>>>> _______________________________________________
> > > > > > >>>>>> keycloak-user mailing list
> > > > > > >>>>>> keycloak-user(a)lists.jboss.org
> > > > > > >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >>>>>>
> > > > > > >>>>> _______________________________________________
> > > > > > >>>>> keycloak-user mailing list
> > > > > > >>>>> keycloak-user(a)lists.jboss.org
> > > > > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > >>>>>
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> --
> > > > > > >>>> Rodrigo Sasaki
> > > > > > >>>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>> --
> > > > > > >>> Rodrigo Sasaki
> > > > > > >>>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> --
> > > > > > >> Rodrigo Sasaki
> > > > > > >>
> > > > > >
> > > > > > --
> > > > > > Bill Burke
> > > > > > JBoss, a division of Red Hat
> > > > > > http://bill.burkecentral.com
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Rodrigo Sasaki
> > > >
> > >
> >
>
--
Rodrigo Sasaki
9 years, 8 months