4:49 a.m.
The easiest is to login through directGrant and then logout session with
the refreshToken. We have an example, which is doing that and shows
logout as well - It's admin-access-app from the preconfigured-demo examples.
The place where the credentials are checked is
Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing
further how to get there and what code calls this. If it's too much
trouble, I suggest to stick with directGrant + logout approach.
Marek
On 01/02/18 17:25, Scott Finlay wrote:
Hi Marek,
Thanks for the suggestion. Could you maybe point me in the right
direction there?
I'm having some difficulties finding the actual place where
credentials are checked
in the Keycloak code and where the session is being created.
Additionally I've looked the documentation
(http://www.keycloak.org/docs/3.1/server_development/topics/extensions.html)
but I'm having trouble understanding from that what these pieces
described are actually for,
where the entry point is, and how I can connect it to the actual
Keycloak storage. I also don't
really know how to actually integrate the endpoint into Keycloak once
I have one built
Regards,
Scott
------------------------------------------------------------------------
*From:* Marek Posolda <mposolda(a)redhat.com>
*Sent:* Wednesday, January 24, 2018 1:59:05 PM
*To:* Scott Finlay; keycloak-user(a)lists.jboss.org
*Subject:* Re: [keycloak-user] Validate User Credentials Without
Creating a Session
Hi Scott,
it's not available OOTB, but you can add your own REST endpoint to
verify username/password. Or alternatively you can just do directGrant
login (OAuth2 Resource Owner Password Credentials Grant) and then logout
session.
Marek
On 23/01/18 09:49, Scott Finlay wrote:
> Hi,
>
>
> We're currently using Keycloak 2.5.5.Final, and in this version it's
not possible
>
> to validate a user's credentials (username / password combination)
without
>
> actually logging the user in which results in a session (and our
sessions are long-
>
> lived). Is there any new functionality introduced in the later
versions of Keycloak
>
> to validate the credentials without actually logging the user in?
>
>
> Our use-case is that we have very long-lived tokens, but we want to
require the
>
> user to re-enter his/her password in order to perform some certain
sensitive tasks
>
> such as changing the password or username.
>
>
> If such functionality is not available, would it be possible to add
this?
>
>
> Regards,
>
> Scott
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user