Yes, login_hint is one of the optional request parameters supported by OpenID Connect
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Wednesday, 30 July, 2014 2:38:32 PM
Subject: Re: [keycloak-user] Authenticate user without using login page
OpenID Connect protocol is used to implement this?
On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> Added login_hint query param. It can be used with keycloak.js with either:
>
> keycloak.login({ loginHint: 'username' })
>
> or
>
> keycloak.createLoginUrl({ loginHint: 'username' })
>
> ----- Original Message -----
>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: "Bill Burke" <bburke(a)redhat.com>,
keycloak-user(a)lists.jboss.org
>> Sent: Friday, 25 July, 2014 6:11:47 PM
>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>
>> It all worked great with the iframe, if I style it properly and use that
>> login_hint it should be perfect.
>>
>> Now how should I go about developing/using this login_hint? Are there any
>> tips on this, or is it something that you plan on including yourselves?
>>
>>
>> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki
<rodrigopsasaki(a)gmail.com>
>> wrote:
>>
>>> Just one more thing that wasn't completely clear to me.
>>>
>>> if I add a login page on an iframe, the user will be logged normally? Or
>>> would I have to get a token and keep managing it?
>>>
>>>
>>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki
>>> <rodrigopsasaki(a)gmail.com
>>>> wrote:
>>>
>>>> That idea actually sounds amazing, I didn't look into keycloak.js
yet,
>>>> but I'll see if I can get it working before I think about styling.
>>>>
>>>> Thank you very much!
>>>>
>>>>
>>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen
<stian(a)redhat.com>
>>>> wrote:
>>>>
>>>>> I think we could quite easily add support for embedding the login
page
>>>>> to keycloak.js. Rough idea:
>>>>>
>>>>> 1. Set an option on keycloak.js to use embedded login form. Would
also
>>>>> require setting an id for a div where the form should be embedded.
>>>>> 2. When clicking on login instead of redirecting it would render an
>>>>> iframe element inside the configured div with the src of the iframe
>>>>> being
>>>>> the login page on Keycloak
>>>>> 3. The redirect-uri would be a special url on Keycloak that renders
a
>>>>> similar page to the iframe session page that allows posting a
message
>>>>> back
>>>>> to keycloak.js containing the code
>>>>> 4. Now keycloak.js can swap the code as usual
>>>>>
>>>>> One thing is that we'd probably need an additional styling of
the login
>>>>> form, as you would want the login page to display differently when
>>>>> embedded
>>>>> compared to when you redirect to it.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Stian Thorgersen" <stian(a)redhat.com>
>>>>>> To: "Bill Burke" <bburke(a)redhat.com>
>>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
login
>>>>>> page
>>>>>>
>>>>>> The cookies should be set fine, as the iframe would contain the
login
>>>>> page
>>>>>> directly from Keycloak.
>>>>>>
>>>>>> It would redirect to a special page on the app that after
extracting
>>>>> the code
>>>>>> would close the popup.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>,
"Rodrigo Sasaki"
>>>>>>> <rodrigopsasaki(a)gmail.com>
>>>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
login
>>>>> page
>>>>>>>
>>>>>>> not sure this will work with SSO. I'm not sure CORS
requests can
>>>>> deal
>>>>>>> with cookies.
>>>>>>>
>>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
>>>>>>>> What about using an iframe in the popup to include the
login form
>>>>> from
>>>>>>>> Keycloak?
>>>>>>>>
>>>>>>>> You can send a HTTP POST to
>>>>> /auth-server/<realm>/tokens/grants/access
>>>>>>>> with
>>>>>>>> client id/secret and username/password and get a token
back. With
>>>>>>>> keycloak.js you can give it this token, not sure how/if
this flow
>>>>> works
>>>>>>>> with the server-side (Undertow) adapter.
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>>> Cc: "Bill Burke"
<bburke(a)redhat.com>,
>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
without using
>>>>> login page
>>>>>>>>>
>>>>>>>>> Actually, the main problem is one of the flows where
the password
>>>>>>>>> request
>>>>>>>>> appears in a popup, there's no redirect at all,
and one of the
>>>>> things
>>>>>>>>> that
>>>>>>>>> were agreed upon when decided to change the
authentication
>>>>> provider, was
>>>>>>>>> that nothing would be altered in the user
experience.
>>>>>>>>>
>>>>>>>>> So I really have to try and make keycloak "fit
in" in these
>>>>> particular
>>>>>>>>> scenarios, they are not used as much as the ones
where we'll use
>>>>> the
>>>>>>>>> keycloak login page with our own style, but I do
have to make
>>>>> them work.
>>>>>>>>>
>>>>>>>>> When you say I could use direct grant to get a
token, would that
>>>>> count
>>>>>>>>> as
>>>>>>>>> the same as an user logging in? It's not really
clear to me right
>>>>> now
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen
<
>>>>> stian(a)redhat.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Yes, but I'm wondering why the following
won't work:
>>>>>>>>>>
>>>>>>>>>> 1. Ask for users email (in your app, not KC)
>>>>>>>>>> 2. Once you get to the flow where a user has to
login:
>>>>>>>>>> a) If user doesn't exist in KC (you can
use admin endpoints
>>>>> to
>>>>>>>>>> check
>>>>>>>>>> this) redirect to registration page on KC with
email already
>>>>> entered
>>>>>>>>>> b) If user does exist in KC redirect to
login page again
>>>>> with email
>>>>>>>>>> already entered
>>>>>>>>>> 3. Redirect back to app
>>>>>>>>>>
>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>> From: "Bill Burke"
<bburke(a)redhat.com>
>>>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>, "Rodrigo Sasaki" <
>>>>>>>>>> rodrigopsasaki(a)gmail.com>
>>>>>>>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate
user without using
>>>>> login
>>>>>>>>>>> page
>>>>>>>>>>>
>>>>>>>>>>> It is because their first login screen is
just something asking
>>>>> for an
>>>>>>>>>>> email. If the email doesn't exist as a
user, they want a
>>>>> redirect to
>>>>>>>>>>> the register page.
>>>>>>>>>>>
>>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen
wrote:
>>>>>>>>>>>> Yes, you can use the direct grant to
retrieve a token.
>>>>>>>>>>>>
>>>>>>>>>>>> I'd like to know why redirecting to
the login form, when
>>>>> styled to
>>>>>>>>>> match
>>>>>>>>>>>> your website, and using login_hint to
pre-fill username/email
>>>>> doesn't
>>>>>>>>>>>> work. Maybe there's something we can
do so that you can still
>>>>> use the
>>>>>>>>>>>> "proper" flow?
>>>>>>>>>>>>
>>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>>>>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>>>>>>> Cc: "Bill Burke"
<bburke(a)redhat.com>,
>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>> Sent: Thursday, 24 July, 2014
6:13:17 PM
>>>>>>>>>>>>> Subject: Re: [keycloak-user]
Authenticate user without using
>>>>> login
>>>>>>>>>> page
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry to keep insisting on this, but
since it's being a huge
>>>>>>>>>> showstopper
>>>>>>>>>>>>> so
>>>>>>>>>>>>> far, I just have to ask.
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I don't mind trading off SSO
and all the other benefits
>>>>> that the
>>>>>>>>>>>>> Keycloak login page provides me,
would there be a way for me
>>>>> to do
>>>>>>>>>> what I
>>>>>>>>>>>>> want?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM,
Stian Thorgersen <
>>>>> stian(a)redhat.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> We could add support for
login_hint query param so you can
>>>>> have the
>>>>>>>>>>>>>> username/email field on the
login form pre-filled for the
>>>>> user, so
>>>>>>>>>> once a
>>>>>>>>>>>>>> user has to authenticate you
redirect to login on KC and all
>>>>> they
>>>>>>>>>> would
>>>>>>>>>>>>>> have to do is enter their
password.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you bypass the login forms
you'd loose SSO, multi-factor
>>>>>>>>>>>>>> support,
>>>>>>>>>>>>>> required actions, recover
password, etc, etc, etc..
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As Bill mentioned we provide
very flexible login forms that
>>>>> can be
>>>>>>>>>>>>>> templated using either just css
or even FreeMarker templates
>>>>> if you
>>>>>>>>>> need
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> lot of customization, so you
should be able to make the
>>>>> login form
>>>>>>>>>>>>>> integrate well with your
website.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>>>>> From: "Rodrigo
Sasaki" <rodrigopsasaki(a)gmail.com>
>>>>>>>>>>>>>>> To: "Bill Burke"
<bburke(a)redhat.com>
>>>>>>>>>>>>>>> Cc:
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>> Sent: Thursday, 17 July,
2014 6:52:08 PM
>>>>>>>>>>>>>>> Subject: Re: [keycloak-user]
Authenticate user without
>>>>> using login
>>>>>>>>>> page
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You think there could be a
way to do this within keycloak
>>>>> itself?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41
PM, Rodrigo Sasaki <
>>>>>>>>>>>>>> rodrigopsasaki(a)gmail.com >
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'll give you an
example:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We have a situation in our
website where we only ask for the
>>>>>>>>>>>>>>> user's
>>>>>>>>>>>>>> e-mail,
>>>>>>>>>>>>>>> and he can go on with the
flow.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On a determined step of the
flow, if we identify that this
>>>>> is an
>>>>>>>>>> e-mail
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> we already have in our user
database, we ask him for his
>>>>> password,
>>>>>>>>>>>>>>> authenticate him, and let
him go on, if this e-mail is new,
>>>>> we
>>>>>>>>>> redirect
>>>>>>>>>>>>>> him
>>>>>>>>>>>>>>> to a page where he can
register himself, and after that
>>>>> continue
>>>>>>>>>>>>>>> on.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On this specific case and
others, we wouldn't like to have
>>>>> to
>>>>>>>>>> redirect
>>>>>>>>>>>>>> him to
>>>>>>>>>>>>>>> keycloak, because that would
interrupt the flow that we
>>>>> designed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39
PM, Bill Burke <
>>>>> bburke(a)redhat.com >
>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
http://docs.jboss.org/
keycloak/docs/1.0-beta-3/
>>>>>>>>>>>>>>>
userguide/html/direct-access- grants.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you have to do it this
way, please let us know why.
>>>>> Maybe we
>>>>>>>>>>>>>>> can
>>>>>>>>>>>>>> solve the
>>>>>>>>>>>>>>> issue within keycloak
itself.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 7/16/2014 3:35 PM,
Rodrigo Sasaki wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Just for the sake of
conversation, if I did want to handle
>>>>> my own
>>>>>>>>>> login
>>>>>>>>>>>>>>> page, would there be a way
for me to do it?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35
PM, Rodrigo Sasaki
>>>>>>>>>>>>>>> <
rodrigopsasaki(a)gmail.com <mailto: rodrigopsasaki@gmail.
>>>>> com >>
>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I don't want to miss out
on all of that, which is why we're
>>>>> mostly
>>>>>>>>>>>>>>> migrating everything to use
keycloak that way.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It's just that we have
cases that are so specific, that it
>>>>> would
>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>> better to authenticate the
user in a different manner,
>>>>> create the
>>>>>>>>>>>>>>> user session and everything,
without redirecting.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'll have a look at that
code. Thanks!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19
PM, Bill Burke <
>>>>> bburke(a)redhat.com
>>>>>>>>>>>>>>> <mailto:
bburke(a)redhat.com >> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you want to handle your
own login pages, IMO, you are
>>>>> missing
>>>>>>>>>>>>>>> out on
>>>>>>>>>>>>>>> a lot of Keycloak features.
Specifically:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> * SSO
>>>>>>>>>>>>>>> * forgot password
>>>>>>>>>>>>>>> * admin forced credential
reset/setup
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Login pages can be styled
however you like to look like your
>>>>>>>>>>>>>>> application.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> There is a REST api for
obtaining an access token. Here is
>>>>> an
>>>>>>>>>>>>>>> example:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
https://github.com/keycloak/
keycloak/blob/master/examples/
>>>>>>>>>>>>>>> demo-template/admin-access-
app/src/main/java/org/
>>>>>>>>>>>>>>>
keycloak/example/AdminClient. java
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 7/15/2014 12:36 PM,
Rodrigo Sasaki wrote:
>>>>>>>>>>>>>>>> Is there a way to
authenticate the user without having to
>>>>>>>>>>>>>>> input username
>>>>>>>>>>>>>>>> and password on the
login page?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> For example:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Say there's a
situation in my application where I request
>>>>> the
>>>>>>>>>>>>>>> user for
>>>>>>>>>>>>>>>> his username and
password, and I wouldn't like to redirect
>>>>>>>>>>>>>>> that to the
>>>>>>>>>>>>>>>> keycloak login page to
authenticate him, would there be a
>>>>> way
>>>>>>>>>>>>>>> for me to
>>>>>>>>>>>>>>>> do that?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
______________________________ _________________
>>>>>>>>>>>>>>>> keycloak-user mailing
list
>>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>> <mailto:
keycloak-user@lists.
jboss.org >
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>>>> JBoss, a division of Red
Hat
>>>>>>>>>>>>>>>
http://bill.burkecentral.com
>>>>>>>>>>>>>>>
______________________________ _________________
>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org <mailto: keycloak-user@lists.
>>>>>>>>>>
jboss.org >
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>>>> JBoss, a division of Red
Hat
>>>>>>>>>>>>>>>
http://bill.burkecentral.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Bill Burke
>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>
http://bill.burkecentral.com
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hat
>>>>>>>
http://bill.burkecentral.com
>>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Rodrigo Sasaki
>>>>
>>>
>>>
>>>
>>> --
>>> Rodrigo Sasaki
>>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com