We have a similar behavior when doing client credentials where sessions are
created on every single invocation to the token endpoint.
For grant types other than authoriation code, can we review this behavior ?
I think I sent an e-mail about this some time ago ...
On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda <mposolda(a)redhat.com> wrote:
The easiest is to login through directGrant and then logout session
with
the refreshToken. We have an example, which is doing that and shows
logout as well - It's admin-access-app from the preconfigured-demo
examples.
The place where the credentials are checked is
Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing
further how to get there and what code calls this. If it's too much
trouble, I suggest to stick with directGrant + logout approach.
Marek
On 01/02/18 17:25, Scott Finlay wrote:
>
> Hi Marek,
>
>
> Thanks for the suggestion. Could you maybe point me in the right
> direction there?
>
> I'm having some difficulties finding the actual place where
> credentials are checked
>
> in the Keycloak code and where the session is being created.
>
>
> Additionally I've looked the documentation
> (
http://www.keycloak.org/docs/3.1/server_development/topics/
extensions.html)
>
> but I'm having trouble understanding from that what these pieces
> described are actually for,
> where the entry point is, and how I can connect it to the actual
> Keycloak storage. I also don't
> really know how to actually integrate the endpoint into Keycloak once
> I have one built
>
> Regards,
> Scott
>
>
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda(a)redhat.com>
> *Sent:* Wednesday, January 24, 2018 1:59:05 PM
> *To:* Scott Finlay; keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Validate User Credentials Without
> Creating a Session
> Hi Scott,
>
> it's not available OOTB, but you can add your own REST endpoint to
> verify username/password. Or alternatively you can just do directGrant
> login (OAuth2 Resource Owner Password Credentials Grant) and then logout
> session.
>
> Marek
>
> On 23/01/18 09:49, Scott Finlay wrote:
> > Hi,
> >
> >
> > We're currently using Keycloak 2.5.5.Final, and in this version it's
> not possible
> >
> > to validate a user's credentials (username / password combination)
> without
> >
> > actually logging the user in which results in a session (and our
> sessions are long-
> >
> > lived). Is there any new functionality introduced in the later
> versions of Keycloak
> >
> > to validate the credentials without actually logging the user in?
> >
> >
> > Our use-case is that we have very long-lived tokens, but we want to
> require the
> >
> > user to re-enter his/her password in order to perform some certain
> sensitive tasks
> >
> > such as changing the password or username.
> >
> >
> > If such functionality is not available, would it be possible to add
> this?
> >
> >
> > Regards,
> >
> > Scott
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user