Just one more thing that wasn't completely clear to me.
if I add a login page on an iframe, the user will be logged normally? Or
would I have to get a token and keep managing it?
On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com>
wrote:
That idea actually sounds amazing, I didn't look into keycloak.js
yet, but
I'll see if I can get it working before I think about styling.
Thank you very much!
On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian(a)redhat.com>
wrote:
> I think we could quite easily add support for embedding the login page to
> keycloak.js. Rough idea:
>
> 1. Set an option on keycloak.js to use embedded login form. Would also
> require setting an id for a div where the form should be embedded.
> 2. When clicking on login instead of redirecting it would render an
> iframe element inside the configured div with the src of the iframe being
> the login page on Keycloak
> 3. The redirect-uri would be a special url on Keycloak that renders a
> similar page to the iframe session page that allows posting a message back
> to keycloak.js containing the code
> 4. Now keycloak.js can swap the code as usual
>
> One thing is that we'd probably need an additional styling of the login
> form, as you would want the login page to display differently when embedded
> compared to when you redirect to it.
>
> ----- Original Message -----
> > From: "Stian Thorgersen" <stian(a)redhat.com>
> > To: "Bill Burke" <bburke(a)redhat.com>
> > Cc: keycloak-user(a)lists.jboss.org
> > Sent: Friday, 25 July, 2014 2:30:44 PM
> > Subject: Re: [keycloak-user] Authenticate user without using login page
> >
> > The cookies should be set fine, as the iframe would contain the login
> page
> > directly from Keycloak.
> >
> > It would redirect to a special page on the app that after extracting
> the code
> > would close the popup.
> >
> > ----- Original Message -----
> > > From: "Bill Burke" <bburke(a)redhat.com>
> > > To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo
Sasaki"
> > > <rodrigopsasaki(a)gmail.com>
> > > Cc: keycloak-user(a)lists.jboss.org
> > > Sent: Friday, 25 July, 2014 2:23:14 PM
> > > Subject: Re: [keycloak-user] Authenticate user without using login
> page
> > >
> > > not sure this will work with SSO. I'm not sure CORS requests can deal
> > > with cookies.
> > >
> > > On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > > > What about using an iframe in the popup to include the login form
> from
> > > > Keycloak?
> > > >
> > > > You can send a HTTP POST to
> /auth-server/<realm>/tokens/grants/access
> > > > with
> > > > client id/secret and username/password and get a token back. With
> > > > keycloak.js you can give it this token, not sure how/if this flow
> works
> > > > with the server-side (Undertow) adapter.
> > > >
> > > > ----- Original Message -----
> > > >> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> > > >> To: "Stian Thorgersen" <stian(a)redhat.com>
> > > >> Cc: "Bill Burke" <bburke(a)redhat.com>,
> keycloak-user(a)lists.jboss.org
> > > >> Sent: Friday, 25 July, 2014 2:08:43 PM
> > > >> Subject: Re: [keycloak-user] Authenticate user without using
login
> page
> > > >>
> > > >> Actually, the main problem is one of the flows where the password
> > > >> request
> > > >> appears in a popup, there's no redirect at all, and one of
the
> things
> > > >> that
> > > >> were agreed upon when decided to change the authentication
> provider, was
> > > >> that nothing would be altered in the user experience.
> > > >>
> > > >> So I really have to try and make keycloak "fit in" in
these
> particular
> > > >> scenarios, they are not used as much as the ones where we'll
use
> the
> > > >> keycloak login page with our own style, but I do have to make
them
> work.
> > > >>
> > > >> When you say I could use direct grant to get a token, would that
> count
> > > >> as
> > > >> the same as an user logging in? It's not really clear to me
right
> now
> > > >>
> > > >>
> > > >> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> stian(a)redhat.com>
> > > >> wrote:
> > > >>
> > > >>> Yes, but I'm wondering why the following won't work:
> > > >>>
> > > >>> 1. Ask for users email (in your app, not KC)
> > > >>> 2. Once you get to the flow where a user has to login:
> > > >>> a) If user doesn't exist in KC (you can use admin
endpoints to
> > > >>> check
> > > >>> this) redirect to registration page on KC with email already
> entered
> > > >>> b) If user does exist in KC redirect to login page again
with
> email
> > > >>> already entered
> > > >>> 3. Redirect back to app
> > > >>>
> > > >>> ----- Original Message -----
> > > >>>> From: "Bill Burke" <bburke(a)redhat.com>
> > > >>>> To: "Stian Thorgersen" <stian(a)redhat.com>,
"Rodrigo Sasaki" <
> > > >>> rodrigopsasaki(a)gmail.com>
> > > >>>> Cc: keycloak-user(a)lists.jboss.org
> > > >>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > > >>>> Subject: Re: [keycloak-user] Authenticate user without
using
> login
> > > >>>> page
> > > >>>>
> > > >>>> It is because their first login screen is just something
asking
> for an
> > > >>>> email. If the email doesn't exist as a user, they
want a
> redirect to
> > > >>>> the register page.
> > > >>>>
> > > >>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > > >>>>> Yes, you can use the direct grant to retrieve a
token.
> > > >>>>>
> > > >>>>> I'd like to know why redirecting to the login
form, when styled
> to
> > > >>> match
> > > >>>>> your website, and using login_hint to pre-fill
username/email
> doesn't
> > > >>>>> work. Maybe there's something we can do so that
you can still
> use the
> > > >>>>> "proper" flow?
> > > >>>>>
> > > >>>>> ----- Original Message -----
> > > >>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > > >>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
> > > >>>>>> Cc: "Bill Burke"
<bburke(a)redhat.com>,
> keycloak-user(a)lists.jboss.org
> > > >>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > > >>>>>> Subject: Re: [keycloak-user] Authenticate user
without using
> login
> > > >>> page
> > > >>>>>>
> > > >>>>>> Sorry to keep insisting on this, but since
it's being a huge
> > > >>> showstopper
> > > >>>>>> so
> > > >>>>>> far, I just have to ask.
> > > >>>>>>
> > > >>>>>> If I don't mind trading off SSO and all the
other benefits
> that the
> > > >>>>>> Keycloak login page provides me, would there be a
way for me
> to do
> > > >>> what I
> > > >>>>>> want?
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen
<
> stian(a)redhat.com>
> > > >>>>>> wrote:
> > > >>>>>>
> > > >>>>>>> We could add support for login_hint query
param so you can
> have the
> > > >>>>>>> username/email field on the login form
pre-filled for the
> user, so
> > > >>> once a
> > > >>>>>>> user has to authenticate you redirect to login
on KC and all
> they
> > > >>> would
> > > >>>>>>> have to do is enter their password.
> > > >>>>>>>
> > > >>>>>>> If you bypass the login forms you'd loose
SSO, multi-factor
> > > >>>>>>> support,
> > > >>>>>>> required actions, recover password, etc, etc,
etc..
> > > >>>>>>>
> > > >>>>>>> As Bill mentioned we provide very flexible
login forms that
> can be
> > > >>>>>>> templated using either just css or even
FreeMarker templates
> if you
> > > >>> need
> > > >>>>>>> a
> > > >>>>>>> lot of customization, so you should be able to
make the login
> form
> > > >>>>>>> integrate well with your website.
> > > >>>>>>>
> > > >>>>>>> ----- Original Message -----
> > > >>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
> > > >>>>>>>> To: "Bill Burke"
<bburke(a)redhat.com>
> > > >>>>>>>> Cc: keycloak-user(a)lists.jboss.org
> > > >>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > > >>>>>>>> Subject: Re: [keycloak-user] Authenticate
user without using
> login
> > > >>> page
> > > >>>>>>>>
> > > >>>>>>>> You think there could be a way to do this
within keycloak
> itself?
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo
Sasaki <
> > > >>>>>>> rodrigopsasaki(a)gmail.com >
> > > >>>>>>>> wrote:
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> I'll give you an example:
> > > >>>>>>>>
> > > >>>>>>>> We have a situation in our website where
we only ask for the
> > > >>>>>>>> user's
> > > >>>>>>> e-mail,
> > > >>>>>>>> and he can go on with the flow.
> > > >>>>>>>>
> > > >>>>>>>> On a determined step of the flow, if we
identify that this
> is an
> > > >>> e-mail
> > > >>>>>>> that
> > > >>>>>>>> we already have in our user database, we
ask him for his
> password,
> > > >>>>>>>> authenticate him, and let him go on, if
this e-mail is new,
> we
> > > >>> redirect
> > > >>>>>>> him
> > > >>>>>>>> to a page where he can register himself,
and after that
> continue
> > > >>>>>>>> on.
> > > >>>>>>>>
> > > >>>>>>>> On this specific case and others, we
wouldn't like to have to
> > > >>> redirect
> > > >>>>>>> him to
> > > >>>>>>>> keycloak, because that would interrupt the
flow that we
> designed.
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill
Burke <
> bburke(a)redhat.com >
> > > >>> wrote:
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
http://docs.jboss.org/
keycloak/docs/1.0-beta-3/
> > > >>>>>>>> userguide/html/direct-access- grants.html
> > > >>>>>>>>
> > > >>>>>>>> If you have to do it this way, please let
us know why. Maybe
> we
> > > >>>>>>>> can
> > > >>>>>>> solve the
> > > >>>>>>>> issue within keycloak itself.
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki
wrote:
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> Just for the sake of conversation, if I
did want to handle
> my own
> > > >>> login
> > > >>>>>>>> page, would there be a way for me to do
it?
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo
Sasaki
> > > >>>>>>>> < rodrigopsasaki(a)gmail.com <mailto:
rodrigopsasaki@gmail.
> com >>
> > > >>> wrote:
> > > >>>>>>>>
> > > >>>>>>>> I don't want to miss out on all of
that, which is why we're
> mostly
> > > >>>>>>>> migrating everything to use keycloak that
way.
> > > >>>>>>>>
> > > >>>>>>>> It's just that we have cases that are
so specific, that it
> would
> > > >>>>>>>> be
> > > >>>>>>>> better to authenticate the user in a
different manner,
> create the
> > > >>>>>>>> user session and everything, without
redirecting.
> > > >>>>>>>>
> > > >>>>>>>> I'll have a look at that code.
Thanks!
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill
Burke <
> bburke(a)redhat.com
> > > >>>>>>>> <mailto: bburke(a)redhat.com >>
wrote:
> > > >>>>>>>>
> > > >>>>>>>> If you want to handle your own login
pages, IMO, you are
> missing
> > > >>>>>>>> out on
> > > >>>>>>>> a lot of Keycloak features. Specifically:
> > > >>>>>>>>
> > > >>>>>>>> * SSO
> > > >>>>>>>> * forgot password
> > > >>>>>>>> * admin forced credential reset/setup
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> Login pages can be styled however you like
to look like your
> > > >>>>>>>> application.
> > > >>>>>>>>
> > > >>>>>>>> There is a REST api for obtaining an
access token. Here is an
> > > >>>>>>>> example:
> > > >>>>>>>>
> > > >>>>>>>>
https://github.com/keycloak/
keycloak/blob/master/examples/
> > > >>>>>>>> demo-template/admin-access-
app/src/main/java/org/
> > > >>>>>>>> keycloak/example/AdminClient. java
> > > >>>>>>>>
> > > >>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki
wrote:
> > > >>>>>>>>> Is there a way to authenticate the
user without having to
> > > >>>>>>>> input username
> > > >>>>>>>>> and password on the login page?
> > > >>>>>>>>>
> > > >>>>>>>>> For example:
> > > >>>>>>>>>
> > > >>>>>>>>> Say there's a situation in my
application where I request
> the
> > > >>>>>>>> user for
> > > >>>>>>>>> his username and password, and I
wouldn't like to redirect
> > > >>>>>>>> that to the
> > > >>>>>>>>> keycloak login page to authenticate
him, would there be a
> way
> > > >>>>>>>> for me to
> > > >>>>>>>>> do that?
> > > >>>>>>>>>
> > > >>>>>>>>> --
> > > >>>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>>
> > > >>>>>>>>>
> > > >>>>>>>>> ______________________________
_________________
> > > >>>>>>>>> keycloak-user mailing list
> > > >>>>>>>>> keycloak-user(a)lists.jboss.org
> > > >>>>>>>> <mailto: keycloak-user@lists.
jboss.org
>
> > > >>>>>>>>
> > > >>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
> > > >>>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> Bill Burke
> > > >>>>>>>> JBoss, a division of Red Hat
> > > >>>>>>>>
http://bill.burkecentral.com
> > > >>>>>>>> ______________________________
_________________
> > > >>>>>>>> keycloak-user mailing list
> > > >>>>>>>> keycloak-user(a)lists.jboss.org <mailto:
keycloak-user@lists.
> > > >>>
jboss.org >
> > > >>>>>>>>
> > > >>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> Bill Burke
> > > >>>>>>>> JBoss, a division of Red Hat
> > > >>>>>>>>
http://bill.burkecentral.com
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> --
> > > >>>>>>>> Rodrigo Sasaki
> > > >>>>>>>>
> > > >>>>>>>>
_______________________________________________
> > > >>>>>>>> keycloak-user mailing list
> > > >>>>>>>> keycloak-user(a)lists.jboss.org
> > > >>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >>>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>>
> > > >>>>>> --
> > > >>>>>> Rodrigo Sasaki
> > > >>>>>>
> > > >>>>
> > > >>>> --
> > > >>>> Bill Burke
> > > >>>> JBoss, a division of Red Hat
> > > >>>>
http://bill.burkecentral.com
> > > >>>>
> > > >>>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Rodrigo Sasaki
> > > >>
> > >
> > > --
> > > Bill Burke
> > > JBoss, a division of Red Hat
> > >
http://bill.burkecentral.com
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Rodrigo Sasaki