Re: [keycloak-user] Login without Keycloak Login Page

Bill Burke wrote > On 12/19/16 11:32 AM, ruiwp13 wrote: >> Bill Burke wrote >>> I looked at the image, specifically the @Path("/login") JAX-RS method. >>> What you are attempting will just not work. Period. I don't think you >>> understand how basic servlet, JAX-RS, and HTTP works along with how Open >>> ID Connection works. OpenID Connect (and SAML) require browser >>> redirects. In looking at your code, you're expecting authenticate() to >>> redirect the browser to keycloak, have the user login, then redirect >>> back. This just doesn't do what you expect. And it shouldn't. >>> Calling servletRequest.authenticate() sets a 302 response with a >>> Location header pointing back to the server. That's it... You >>> actually override what authenticate() did by returning a JAX-RS >>> response. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user@.jboss >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> Thank you for the answer Bill, >> >> It does redirect me to keycloak login page and then back to my login >> page. >> The redirect back is managed by keycloak. It redirects back to the >> application after login. It may have something wrong when I do the >> authenticate(), but it does redirect me to Keycloak login page. If I knew >> how everything worked I wasn't here asking for help eheh. I came here to >> know what I was doing wrong or if it was a keycloak problem. >> >> What is the correct way to do it then? > I'm not sure what you mean by "Login without Keycloak Login Page". Is > this a browser application? If so, I strongly suggest you use our > adapter and Keycloak Login pages. Login pages can be stylized however > you want. You are not using our adapter as it was intended to be used > so we just can't help you. You're on your own. > > You can do a login without keycloak login pages, but this flow is for > REST clients only, not browser applications. Use direct grant [1] to > obtain a token. Here's a crude example [2] Sorry there isn't better > docs on this. > > [1] https://tools.ietf.org/html/rfc6749#section-4.3 > [2] > https://github.com/keycloak/keycloak/blob/master/examples/demo-template/a... > > > _______________________________________________ > keycloak-user mailing list > keycloak-user@.jboss > https://lists.jboss.org/mailman/listinfo/keycloak-user Is there no possibility of invalidating the token or at least, set it's expiration to "now" when the user logs out? Now, when I logout I get the backchannel logout request from keycloak but the token is still valid. I am able to access the secured pages even though the session in keycloak has ended.