That idea actually sounds amazing, I didn't look into keycloak.js yet, but
I'll see if I can get it working before I think about styling.
Thank you very much!
On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
I think we could quite easily add support for embedding the login
page to
keycloak.js. Rough idea:
1. Set an option on keycloak.js to use embedded login form. Would also
require setting an id for a div where the form should be embedded.
2. When clicking on login instead of redirecting it would render an iframe
element inside the configured div with the src of the iframe being the
login page on Keycloak
3. The redirect-uri would be a special url on Keycloak that renders a
similar page to the iframe session page that allows posting a message back
to keycloak.js containing the code
4. Now keycloak.js can swap the code as usual
One thing is that we'd probably need an additional styling of the login
form, as you would want the login page to display differently when embedded
compared to when you redirect to it.
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-user(a)lists.jboss.org
> Sent: Friday, 25 July, 2014 2:30:44 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
>
> The cookies should be set fine, as the iframe would contain the login
page
> directly from Keycloak.
>
> It would redirect to a special page on the app that after extracting the
code
> would close the popup.
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke(a)redhat.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo
Sasaki"
> > <rodrigopsasaki(a)gmail.com>
> > Cc: keycloak-user(a)lists.jboss.org
> > Sent: Friday, 25 July, 2014 2:23:14 PM
> > Subject: Re: [keycloak-user] Authenticate user without using login page
> >
> > not sure this will work with SSO. I'm not sure CORS requests can deal
> > with cookies.
> >
> > On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > > What about using an iframe in the popup to include the login form
from
> > > Keycloak?
> > >
> > > You can send a HTTP POST to
/auth-server/<realm>/tokens/grants/access
> > > with
> > > client id/secret and username/password and get a token back. With
> > > keycloak.js you can give it this token, not sure how/if this flow
works
> > > with the server-side (Undertow) adapter.
> > >
> > > ----- Original Message -----
> > >> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > >> To: "Stian Thorgersen" <stian(a)redhat.com>
> > >> Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> > >> Sent: Friday, 25 July, 2014 2:08:43 PM
> > >> Subject: Re: [keycloak-user] Authenticate user without using login
page
> > >>
> > >> Actually, the main problem is one of the flows where the password
> > >> request
> > >> appears in a popup, there's no redirect at all, and one of the
things
> > >> that
> > >> were agreed upon when decided to change the authentication
provider, was
> > >> that nothing would be altered in the user experience.
> > >>
> > >> So I really have to try and make keycloak "fit in" in these
particular
> > >> scenarios, they are not used as much as the ones where we'll use
the
> > >> keycloak login page with our own style, but I do have to make them
work.
> > >>
> > >> When you say I could use direct grant to get a token, would that
count
> > >> as
> > >> the same as an user logging in? It's not really clear to me right
now
> > >>
> > >>
> > >> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen
<stian(a)redhat.com
>
> > >> wrote:
> > >>
> > >>> Yes, but I'm wondering why the following won't work:
> > >>>
> > >>> 1. Ask for users email (in your app, not KC)
> > >>> 2. Once you get to the flow where a user has to login:
> > >>> a) If user doesn't exist in KC (you can use admin
endpoints to
> > >>> check
> > >>> this) redirect to registration page on KC with email already
entered
> > >>> b) If user does exist in KC redirect to login page again with
email
> > >>> already entered
> > >>> 3. Redirect back to app
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Bill Burke" <bburke(a)redhat.com>
> > >>>> To: "Stian Thorgersen" <stian(a)redhat.com>,
"Rodrigo Sasaki" <
> > >>> rodrigopsasaki(a)gmail.com>
> > >>>> Cc: keycloak-user(a)lists.jboss.org
> > >>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > >>>> Subject: Re: [keycloak-user] Authenticate user without using
login
> > >>>> page
> > >>>>
> > >>>> It is because their first login screen is just something
asking
for an
> > >>>> email. If the email doesn't exist as a user, they want a
redirect to
> > >>>> the register page.
> > >>>>
> > >>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > >>>>> Yes, you can use the direct grant to retrieve a token.
> > >>>>>
> > >>>>> I'd like to know why redirecting to the login form,
when styled
to
> > >>> match
> > >>>>> your website, and using login_hint to pre-fill
username/email
doesn't
> > >>>>> work. Maybe there's something we can do so that you
can still
use the
> > >>>>> "proper" flow?
> > >>>>>
> > >>>>> ----- Original Message -----
> > >>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > >>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
> > >>>>>> Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
> > >>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > >>>>>> Subject: Re: [keycloak-user] Authenticate user without
using
login
> > >>> page
> > >>>>>>
> > >>>>>> Sorry to keep insisting on this, but since it's
being a huge
> > >>> showstopper
> > >>>>>> so
> > >>>>>> far, I just have to ask.
> > >>>>>>
> > >>>>>> If I don't mind trading off SSO and all the other
benefits that
the
> > >>>>>> Keycloak login page provides me, would there be a way
for me to
do
> > >>> what I
> > >>>>>> want?
> > >>>>>>
> > >>>>>>
> > >>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen
<
stian(a)redhat.com>
> > >>>>>> wrote:
> > >>>>>>
> > >>>>>>> We could add support for login_hint query param so
you can
have the
> > >>>>>>> username/email field on the login form pre-filled
for the
user, so
> > >>> once a
> > >>>>>>> user has to authenticate you redirect to login on
KC and all
they
> > >>> would
> > >>>>>>> have to do is enter their password.
> > >>>>>>>
> > >>>>>>> If you bypass the login forms you'd loose SSO,
multi-factor
> > >>>>>>> support,
> > >>>>>>> required actions, recover password, etc, etc,
etc..
> > >>>>>>>
> > >>>>>>> As Bill mentioned we provide very flexible login
forms that
can be
> > >>>>>>> templated using either just css or even FreeMarker
templates
if you
> > >>> need
> > >>>>>>> a
> > >>>>>>> lot of customization, so you should be able to
make the login
form
> > >>>>>>> integrate well with your website.
> > >>>>>>>
> > >>>>>>> ----- Original Message -----
> > >>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > >>>>>>>> To: "Bill Burke"
<bburke(a)redhat.com>
> > >>>>>>>> Cc: keycloak-user(a)lists.jboss.org
> > >>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > >>>>>>>> Subject: Re: [keycloak-user] Authenticate user
without using
login
> > >>> page
> > >>>>>>>>
> > >>>>>>>> You think there could be a way to do this
within keycloak
itself?
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo
Sasaki <
> > >>>>>>> rodrigopsasaki(a)gmail.com >
> > >>>>>>>> wrote:
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> I'll give you an example:
> > >>>>>>>>
> > >>>>>>>> We have a situation in our website where we
only ask for the
> > >>>>>>>> user's
> > >>>>>>> e-mail,
> > >>>>>>>> and he can go on with the flow.
> > >>>>>>>>
> > >>>>>>>> On a determined step of the flow, if we
identify that this is
an
> > >>> e-mail
> > >>>>>>> that
> > >>>>>>>> we already have in our user database, we ask
him for his
password,
> > >>>>>>>> authenticate him, and let him go on, if this
e-mail is new, we
> > >>> redirect
> > >>>>>>> him
> > >>>>>>>> to a page where he can register himself, and
after that
continue
> > >>>>>>>> on.
> > >>>>>>>>
> > >>>>>>>> On this specific case and others, we
wouldn't like to have to
> > >>> redirect
> > >>>>>>> him to
> > >>>>>>>> keycloak, because that would interrupt the
flow that we
designed.
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke
<
bburke(a)redhat.com >
> > >>> wrote:
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
http://docs.jboss.org/
keycloak/docs/1.0-beta-3/
> > >>>>>>>> userguide/html/direct-access- grants.html
> > >>>>>>>>
> > >>>>>>>> If you have to do it this way, please let us
know why. Maybe
we
> > >>>>>>>> can
> > >>>>>>> solve the
> > >>>>>>>> issue within keycloak itself.
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> Just for the sake of conversation, if I did
want to handle my
own
> > >>> login
> > >>>>>>>> page, would there be a way for me to do it?
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo
Sasaki
> > >>>>>>>> < rodrigopsasaki(a)gmail.com <mailto:
rodrigopsasaki@gmail.
com >>
> > >>> wrote:
> > >>>>>>>>
> > >>>>>>>> I don't want to miss out on all of that,
which is why we're
mostly
> > >>>>>>>> migrating everything to use keycloak that
way.
> > >>>>>>>>
> > >>>>>>>> It's just that we have cases that are so
specific, that it
would
> > >>>>>>>> be
> > >>>>>>>> better to authenticate the user in a different
manner, create
the
> > >>>>>>>> user session and everything, without
redirecting.
> > >>>>>>>>
> > >>>>>>>> I'll have a look at that code. Thanks!
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke
<
bburke(a)redhat.com
> > >>>>>>>> <mailto: bburke(a)redhat.com >> wrote:
> > >>>>>>>>
> > >>>>>>>> If you want to handle your own login pages,
IMO, you are
missing
> > >>>>>>>> out on
> > >>>>>>>> a lot of Keycloak features. Specifically:
> > >>>>>>>>
> > >>>>>>>> * SSO
> > >>>>>>>> * forgot password
> > >>>>>>>> * admin forced credential reset/setup
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> Login pages can be styled however you like to
look like your
> > >>>>>>>> application.
> > >>>>>>>>
> > >>>>>>>> There is a REST api for obtaining an access
token. Here is an
> > >>>>>>>> example:
> > >>>>>>>>
> > >>>>>>>>
https://github.com/keycloak/
keycloak/blob/master/examples/
> > >>>>>>>> demo-template/admin-access-
app/src/main/java/org/
> > >>>>>>>> keycloak/example/AdminClient. java
> > >>>>>>>>
> > >>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > >>>>>>>>> Is there a way to authenticate the user
without having to
> > >>>>>>>> input username
> > >>>>>>>>> and password on the login page?
> > >>>>>>>>>
> > >>>>>>>>> For example:
> > >>>>>>>>>
> > >>>>>>>>> Say there's a situation in my
application where I request the
> > >>>>>>>> user for
> > >>>>>>>>> his username and password, and I
wouldn't like to redirect
> > >>>>>>>> that to the
> > >>>>>>>>> keycloak login page to authenticate him,
would there be a way
> > >>>>>>>> for me to
> > >>>>>>>>> do that?
> > >>>>>>>>>
> > >>>>>>>>> --
> > >>>>>>>>> Rodrigo Sasaki
> > >>>>>>>>>
> > >>>>>>>>>
> > >>>>>>>>> ______________________________
_________________
> > >>>>>>>>> keycloak-user mailing list
> > >>>>>>>>> keycloak-user(a)lists.jboss.org
> > >>>>>>>> <mailto: keycloak-user@lists.
jboss.org
>
> > >>>>>>>>
> > >>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
> > >>>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Bill Burke
> > >>>>>>>> JBoss, a division of Red Hat
> > >>>>>>>>
http://bill.burkecentral.com
> > >>>>>>>> ______________________________
_________________
> > >>>>>>>> keycloak-user mailing list
> > >>>>>>>> keycloak-user(a)lists.jboss.org <mailto:
keycloak-user@lists.
> > >>>
jboss.org >
> > >>>>>>>>
> > >>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Rodrigo Sasaki
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Rodrigo Sasaki
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Bill Burke
> > >>>>>>>> JBoss, a division of Red Hat
> > >>>>>>>>
http://bill.burkecentral.com
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Rodrigo Sasaki
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Rodrigo Sasaki
> > >>>>>>>>
> > >>>>>>>>
_______________________________________________
> > >>>>>>>> keycloak-user mailing list
> > >>>>>>>> keycloak-user(a)lists.jboss.org
> > >>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>> --
> > >>>>>> Rodrigo Sasaki
> > >>>>>>
> > >>>>
> > >>>> --
> > >>>> Bill Burke
> > >>>> JBoss, a division of Red Hat
> > >>>>
http://bill.burkecentral.com
> > >>>>
> > >>>
> > >>
> > >>
> > >>
> > >> --
> > >> Rodrigo Sasaki
> > >>
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> >
http://bill.burkecentral.com
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user