On 12/19/16 11:32 AM, ruiwp13 wrote:
> Bill Burke wrote
>> I looked at the image, specifically the @Path("/login") JAX-RS method.
>> What you are attempting will just not work. Period. I don't think you
>> understand how basic servlet, JAX-RS, and HTTP works along with how Open
>> ID Connection works. OpenID Connect (and SAML) require browser
>> redirects. In looking at your code, you're expecting authenticate() to
>> redirect the browser to keycloak, have the user login, then redirect
>> back. This just doesn't do what you expect. And it shouldn't.
>> Calling servletRequest.authenticate() sets a 302 response with a
>> Location header pointing back to the server. That's it... You
>> actually override what authenticate() did by returning a JAX-RS
>> response.
>> _______________________________________________
>> keycloak-user mailing list
>
keycloak-user@.jboss
>
> Thank you for the answer
Bill,
>
> It does redirect me to keycloak login page and then back to my login
> page.
> The redirect back is managed by keycloak. It redirects back to the
> application after login. It may have something wrong when I do the
> authenticate(), but it does redirect me to Keycloak login page. If I knew
> how everything worked I wasn't here asking for help eheh. I came here to
> know what I was doing wrong or if it was a keycloak problem.
>
> What is the correct way to do it then?
I'm not sure what you mean by "Login without Keycloak Login Page". Is
this a browser application? If so, I strongly suggest you use our
adapter and Keycloak Login pages. Login pages can be stylized however
you want. You are not using our adapter as it was intended to be used
so we just can't help you. You're on your own.
You can do a login without keycloak login pages, but this flow is for
REST clients only, not browser applications. Use direct grant [1] to
obtain a token. Here's a crude example [2] Sorry there isn't better
docs on this.
[1]
https://tools.ietf.org/html/rfc6749#section-4.3
[2]
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a...
_______________________________________________
keycloak-user mailing list
Thank you for your kindness Bill.
Yes, it is a browser application but I can also make the login through REST.
At first, I was making the login with direct grant flow like in [2]. But
when I logged out the token would still be active in the application
although the session had been terminated in Keycloak. So I asked in the
forum and saw a post where they said backchannel logout isn't possible with
direct_grant and I had to use the adapters. So I was trying to do the
adapter flow with the HttpServletRequest.authenticate() and logout() through
the browser and made this post.
Basically:
1. When I tried the direct grant flow, the token was not being invalidated
after logout and I was told it wouldn't be possible to invalidate the token
unless I used the adapters.
2. I am trying to do with the adapters, using a browser and redirecting to
Keycloak Login page and then back to my API and the problem that I am having
now with the adapter flow is that it says invalid_token when I logout. Maybe
in this one I am doing something wrong in login, but I am not sure what. I
don't see specificaly anywhere how to use the adapter here with the Servlet.
--
View this message in context: