Sorry, but I just can't spend time on figuring out what's going wrong when
you are doing something bad.
On 21 December 2016 at 10:24, ruiwp13 <ruiwp_93(a)hotmail.com> wrote:
stianst wrote
> That's an extremely bad hack! The authorization code flow is a redirect
> based flow and should not be used in this way.
>
> Please use the real login page as recommended. Alternatively use resource
> owner password grant (direct grant in Keycloak). With direct grants you
> can
> only invalidate the refresh token, not the session or access token so you
> should have a short lifespan on your access tokens.
>
> On 21 December 2016 at 09:21, ruiwp13 <
> ruiwp_93@
> > wrote:
>
>> Bill Burke wrote
>> > On 12/20/16 12:00 PM, ruiwp13 wrote:
>> >> Bill Burke wrote
>> >>> On 12/19/16 11:32 AM, ruiwp13 wrote:
>> >>>> Bill Burke wrote
>> >>>>> I looked at the image, specifically the
@Path("/login") JAX-RS
>> method.
>> >>>>> What you are attempting will just not work. Period. I
don't
think
>> >>>>> you
>> >>>>> understand how basic servlet, JAX-RS, and HTTP works along
with
how
>> >>>>> Open
>> >>>>> ID Connection works. OpenID Connect (and SAML) require
browser
>> >>>>> redirects. In looking at your code, you're expecting
>> authenticate()
>> >>>>> to
>> >>>>> redirect the browser to keycloak, have the user login,
then
>> redirect
>> >>>>> back. This just doesn't do what you expect. And it
shouldn't.
>> >>>>> Calling servletRequest.authenticate() sets a 302 response
with a
>> >>>>> Location header pointing back to the server. That's
it... You
>> >>>>> actually override what authenticate() did by returning a
JAX-RS
>> >>>>> response.
>> >>>>> _______________________________________________
>> >>>>> keycloak-user mailing list
>> >>>>> keycloak-user@.jboss
>> >>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>> Thank you for the answer Bill,
>> >>>>
>> >>>> It does redirect me to keycloak login page and then back to my
login
>> >>>> page.
>> >>>> The redirect back is managed by keycloak. It redirects back to
the
>> >>>> application after login. It may have something wrong when I do
the
>> >>>> authenticate(), but it does redirect me to Keycloak login page.
If
I
>> >>>> knew
>> >>>> how everything worked I wasn't here asking for help eheh. I
came
>> here
>> >>>> to
>> >>>> know what I was doing wrong or if it was a keycloak problem.
>> >>>>
>> >>>> What is the correct way to do it then?
>> >>> I'm not sure what you mean by "Login without Keycloak
Login Page".
Is
>> >>> this a browser application? If so, I strongly suggest you use our
>> >>> adapter and Keycloak Login pages. Login pages can be stylized
>> however
>> >>> you want. You are not using our adapter as it was intended to be
>> used
>> >>> so we just can't help you. You're on your own.
>> >>>
>> >>> You can do a login without keycloak login pages, but this flow is
for
>> >>> REST clients only, not browser applications. Use direct grant [1]
to
>> >>> obtain a token. Here's a crude example [2] Sorry there
isn't
better
>> >>> docs on this.
>> >>>
>> >>> [1]
https://tools.ietf.org/html/rfc6749#section-4.3
>> >>> [2]
>> >>>
https://github.com/keycloak/keycloak/blob/master/examples/
>> demo-template/admin-access-app/src/main/java/org/
>> keycloak/example/AdminClient.java
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> keycloak-user mailing list
>> >>> keycloak-user@.jboss
>> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> Is there no possibility of invalidating the token or at least, set
>> it's
>> >> expiration to "now" when the user logs out?
>> >> Now, when I logout I get the backchannel logout request from keycloak
>> but
>> >> the token is still valid. I am able to access the secured pages even
>> >> though
>> >> the session in keycloak has ended.
>> > Are you still doing your *hack* approach?
>> > HttpServletRequest.getSession().invalidate() might work. Like I said
>> > before, if you insist on doing things your own way and in a way that
>> was
>> > not intended for the adapter to work, there's not much we can help you
>> > with.
>> >
>> > Bill
>> > _______________________________________________
>> > keycloak-user mailing list
>>
>> > keycloak-user@.jboss
>>
>> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> Hello Bill,
>>
>> Well, not sure if it is an hack approach. I want to login through REST
>> without having to be redirected to keycloak login page because there is
a
>> part where there will be no broswer interaction.
>> At the moment, I am logging in with authorization code flow through HTTP
>> GETs and POSTs and scrapping the login form to get the code & state. I
>> also
>> send the client_session_state containing the
>> HttpServletRequest.getSession().getId()
>> To logout I am making a POST call to the logout endpoint sending the
>> refresh_token and the client_id and client_secret.
>>
>> Is this the right way to do it?
>> Otherwise how am I supposed to logout without a browser, in a servlet?
>>
>>
>>
>> --
>> View this message in context:
http://keycloak-user.88327.x6.
>>
nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html
>> Sent from the keycloak-user mailing list archive at
Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>>
> keycloak-user@.jboss
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@.jboss
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
OK, thank you.
Well stianst, it is a bad hack but I am getting the callback from keycloak
to my server. I receive the {Admin URL}/k_logout call. Why doesn't it
invalidate the token as well? When I tried the browser redirect login it
did
logged me out of the app and I had to login again in browser to access
secured pages but I still could use the token anyway. The token was not
invalidated.
--
View this message in context:
http://keycloak-user.88327.x6.
nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html
Sent from the keycloak-user mailing list archive at
Nabble.com.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user