Stian,
We aren’t using the Keycloak registration because our app has been existing for a couple
of years before the current Kc integration. Our onboarding/registration process is pretty
extensive and is about a 10 page angular flow that uses XHR requests to our server to
create the data. Converting it over to using the Kc page that does a form/post would be
very difficult for us.
I’m curious why do you say: “You need to do the redirect based authentication and not use
direct grant if you want an SSO session.”
Is this a requirement or just a best practice?
I ran a test with this scenario and I’m able to get a password based grant from our
admin_cli client and then go to our app with that token (app is using a different,
confidential client that is has the Spring Security KC adapter configured) and it will not
only recognize that token, but also establish a session for me.
--
Christopher Savory
From: Stian Thorgersen <sthorger(a)redhat.com>
Reply-To: "stian(a)redhat.com" <stian(a)redhat.com>
Date: Thursday, October 13, 2016 at 1:11 AM
To: Chris Savory <chris.savory(a)edlogics.com>
Cc: "Mariusz Chruscielewski - Info.nl" <mariusz(a)info.nl>,
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>, David
Hartfield <david.hartfield(a)edlogics.com>
Subject: Re: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal
object
You need to do the redirect based authentication and not use direct grant if you want an
SSO session.
Why are you not just using the registration form on the Keycloak server? It can be changed
to match exactly what you need?
On 10 October 2016 at 15:30, Chris Savory <chris.savory(a)edlogics.com> wrote:
I actually had a similar question for our register user workflow. We are registering
users on our site using our own custom registration form; in this flow we use the Admin
client to create the user in keycloak. Since the user just gave us their un/pw it doesn’t
make sense for us to send them over to Keycloak to login, but rather we would like to
passively log them in either via the backend or via some ajax call.
I know I can get a token if I do something like this, but I’m not sure if it’s going to
drop all the right cookies back to the user’s browser to consider them logged in across
all the clients:
curl -d "client_id=admin-cli" -d
"username=chris.savory(a)edlogics.com" -d "password=password" -d
"grant_type=password"
"<domain>/auth/realms/<realm>/protocol/openid-connect/token"
--
On 10/10/16, 3:23 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Stian
Thorgersen" <keycloak-user-bounces(a)lists.jboss.org on behalf of
sthorger(a)redhat.com> wrote:
By using token directly I assume you mean exchanging username/password for
a token directly. I'd strongly recommend against this and it's not
something our adapters support directly.
On 4 October 2016 at 15:36, Mariusz Chruscielewski - Info.nl <
mariusz(a)info.nl> wrote:
> Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after we
> access protected resource we are redirected to keycloak and after login we
> go back to our app. After that, we can get KeycloakPrincipal object from
> web context (request).
>
> Is there a way to create / get this object without using Tomcat Adapter ?
> We want to make API call (like
http://keycloak/auth/realms/
> vi/protocol/openid-connect/token) and get (or create manually) this
> object using AccessTokenResponse (or any other object we can get from API).
>
> Ultimate goal is to login to keycloak like adapter does, but directly from
> Java, without any interaction from user on keycloak forms.
>
> Is it even possible?
>
> Kind Regards,
>
> Mariusz Chruscielewski
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user