Re: [keycloak-user] Validate User Credentials Without Creating a Session

We have a similar behavior when doing client credentials where sessions are created on every single invocation to the token endpoint. For grant types other than authoriation code, can we review this behavior ? I think I sent an e-mail about this some time ago ... On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda <mposolda(a)redhat.com&gt; wrote: > The easiest is to login through directGrant and then logout session with > the refreshToken. We have an example, which is doing that and shows > logout as well - It's admin-access-app from the preconfigured-demo > examples. > > The place where the credentials are checked is > Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing > further how to get there and what code calls this. If it's too much > trouble, I suggest to stick with directGrant + logout approach. > > Marek > > On 01/02/18 17:25, Scott Finlay wrote: >> >> Hi Marek, >> >> >> Thanks for the suggestion. Could you maybe point me in the right >> direction there? >> >> I'm having some difficulties finding the actual place where >> credentials are checked >> >> in the Keycloak code and where the session is being created. >> >> >> Additionally I've looked the documentation >> (http://www.keycloak.org/docs/3.1/server_development/topics/ > extensions.html) >> >> but I'm having trouble understanding from that what these pieces >> described are actually for, >> where the entry point is, and how I can connect it to the actual >> Keycloak storage. I also don't >> really know how to actually integrate the endpoint into Keycloak once >> I have one built >> >> Regards, >> Scott >> >> >> ------------------------------------------------------------------------ >> *From:* Marek Posolda <mposolda(a)redhat.com&gt; >> *Sent:* Wednesday, January 24, 2018 1:59:05 PM >> *To:* Scott Finlay; keycloak-user(a)lists.jboss.org >> *Subject:* Re: [keycloak-user] Validate User Credentials Without >> Creating a Session >> Hi Scott, >> >> it's not available OOTB, but you can add your own REST endpoint to >> verify username/password. Or alternatively you can just do directGrant >> login (OAuth2 Resource Owner Password Credentials Grant) and then logout >> session. >> >> Marek >> >> On 23/01/18 09:49, Scott Finlay wrote: >>> Hi, >>> >>> >>> We're currently using Keycloak 2.5.5.Final, and in this version it's >> not possible >>> >>> to validate a user's credentials (username / password combination) >> without >>> >>> actually logging the user in which results in a session (and our >> sessions are long- >>> >>> lived). Is there any new functionality introduced in the later >> versions of Keycloak >>> >>> to validate the credentials without actually logging the user in? >>> >>> >>> Our use-case is that we have very long-lived tokens, but we want to >> require the >>> >>> user to re-enter his/her password in order to perform some certain >> sensitive tasks >>> >>> such as changing the password or username. >>> >>> >>> If such functionality is not available, would it be possible to add >> this? >>> >>> >>> Regards, >>> >>> Scott >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user