On 12/20/16 12:00 PM, ruiwp13 wrote:
> Bill Burke wrote
>> On 12/19/16 11:32 AM, ruiwp13 wrote:
>>> Bill Burke wrote
>>>> I looked at the image, specifically the @Path("/login") JAX-RS
method.
>>>> What you are attempting will just not work. Period. I don't think
>>>> you
>>>> understand how basic servlet, JAX-RS, and HTTP works along with how
>>>> Open
>>>> ID Connection works. OpenID Connect (and SAML) require browser
>>>> redirects. In looking at your code, you're expecting authenticate()
>>>> to
>>>> redirect the browser to keycloak, have the user login, then redirect
>>>> back. This just doesn't do what you expect. And it shouldn't.
>>>> Calling servletRequest.authenticate() sets a 302 response with a
>>>> Location header pointing back to the server. That's it... You
>>>> actually override what authenticate() did by returning a JAX-RS
>>>> response.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>
keycloak-user@.jboss
>>>
>>> Thank you for
the answer Bill,
>>>
>>> It does redirect me to keycloak login page and then back to my login
>>> page.
>>> The redirect back is managed by keycloak. It redirects back to the
>>> application after login. It may have something wrong when I do the
>>> authenticate(), but it does redirect me to Keycloak login page. If I
>>> knew
>>> how everything worked I wasn't here asking for help eheh. I came here
>>> to
>>> know what I was doing wrong or if it was a keycloak problem.
>>>
>>> What is the correct way to do it then?
>> I'm not sure what you mean by "Login without Keycloak Login Page".
Is
>> this a browser application? If so, I strongly suggest you use our
>> adapter and Keycloak Login pages. Login pages can be stylized however
>> you want. You are not using our adapter as it was intended to be used
>> so we just can't help you. You're on your own.
>>
>> You can do a login without keycloak login pages, but this flow is for
>> REST clients only, not browser applications. Use direct grant [1] to
>> obtain a token. Here's a crude example [2] Sorry there isn't better
>> docs on this.
>>
>> [1]
https://tools.ietf.org/html/rfc6749#section-4.3
>> [2]
>>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>
keycloak-user@.jboss
>
> Is there no possibility
of invalidating the token or at least, set it's
> expiration to "now" when the user logs out?
> Now, when I logout I get the backchannel logout request from keycloak but
> the token is still valid. I am able to access the secured pages even
> though
> the session in keycloak has ended.
Are you still doing your *hack* approach?
HttpServletRequest.getSession().invalidate() might work. Like I said
before, if you insist on doing things your own way and in a way that was
not intended for the adapter to work, there's not much we can help you
with.
Bill
_______________________________________________
keycloak-user mailing list
Hello Bill,
Well, not sure if it is an hack approach. I want to login through REST
without having to be redirected to keycloak login page because there is a
part where there will be no broswer interaction.
At the moment, I am logging in with authorization code flow through HTTP
GETs and POSTs and scrapping the login form to get the code & state. I also
send the client_session_state containing the
HttpServletRequest.getSession().getId()
To logout I am making a POST call to the logout endpoint sending the
refresh_token and the client_id and client_secret.
Is this the right way to do it?
Otherwise how am I supposed to logout without a browser, in a servlet?
--
View this message in context: