With your flows, I just don't see how you can use Keycloak's SSO
features. You have to be able to redirect the browser to the Keycloak
Server, otherwise the SSO cookie can't be checked to see if the user is
already logged in. You can't do social login without redirects either.
On 7/25/2014 9:08 AM, Rodrigo Sasaki wrote:
Actually, the main problem is one of the flows where the password
request appears in a popup, there's no redirect at all, and one of the
things that were agreed upon when decided to change the authentication
provider, was that nothing would be altered in the user experience.
So I really have to try and make keycloak "fit in" in these particular
scenarios, they are not used as much as the ones where we'll use the
keycloak login page with our own style, but I do have to make them work.
When you say I could use direct grant to get a token, would that count
as the same as an user logging in? It's not really clear to me right now
On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <stian(a)redhat.com
<mailto:stian@redhat.com>> wrote:
Yes, but I'm wondering why the following won't work:
1. Ask for users email (in your app, not KC)
2. Once you get to the flow where a user has to login:
a) If user doesn't exist in KC (you can use admin endpoints to
check this) redirect to registration page on KC with email already
entered
b) If user does exist in KC redirect to login page again with
email already entered
3. Redirect back to app
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>
> To: "Stian Thorgersen" <stian(a)redhat.com
<mailto:stian@redhat.com>>, "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com <mailto:rodrigopsasaki@gmail.com>>
> Cc: keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> Sent: Friday, 25 July, 2014 1:48:45 PM
> Subject: Re: [keycloak-user] Authenticate user without using
login page
>
> It is because their first login screen is just something asking
for an
> email. If the email doesn't exist as a user, they want a redirect to
> the register page.
>
> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > Yes, you can use the direct grant to retrieve a token.
> >
> > I'd like to know why redirecting to the login form, when styled
to match
> > your website, and using login_hint to pre-fill username/email
doesn't
> > work. Maybe there's something we can do so that you can still
use the
> > "proper" flow?
> >
> > ----- Original Message -----
> >> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com
<mailto:rodrigopsasaki@gmail.com>>
> >> To: "Stian Thorgersen" <stian(a)redhat.com
<mailto:stian@redhat.com>>
> >> Cc: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>, keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >> Sent: Thursday, 24 July, 2014 6:13:17 PM
> >> Subject: Re: [keycloak-user] Authenticate user without using
login page
> >>
> >> Sorry to keep insisting on this, but since it's being a huge
showstopper
> >> so
> >> far, I just have to ask.
> >>
> >> If I don't mind trading off SSO and all the other benefits
that the
> >> Keycloak login page provides me, would there be a way for me
to do what I
> >> want?
> >>
> >>
> >> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen
<stian(a)redhat.com <mailto:stian@redhat.com>>
> >> wrote:
> >>
> >>> We could add support for login_hint query param so you can
have the
> >>> username/email field on the login form pre-filled for the
user, so once a
> >>> user has to authenticate you redirect to login on KC and all
they would
> >>> have to do is enter their password.
> >>>
> >>> If you bypass the login forms you'd loose SSO, multi-factor
support,
> >>> required actions, recover password, etc, etc, etc..
> >>>
> >>> As Bill mentioned we provide very flexible login forms that
can be
> >>> templated using either just css or even FreeMarker templates
if you need
> >>> a
> >>> lot of customization, so you should be able to make the login
form
> >>> integrate well with your website.
> >>>
> >>> ----- Original Message -----
> >>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com
<mailto:rodrigopsasaki@gmail.com>>
> >>>> To: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>
> >>>> Cc: keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> >>>> Subject: Re: [keycloak-user] Authenticate user without using
login page
> >>>>
> >>>> You think there could be a way to do this within keycloak
itself?
> >>>>
> >>>>
> >>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> >>> rodrigopsasaki(a)gmail.com <mailto:rodrigopsasaki@gmail.com>
>
> >>>> wrote:
> >>>>
> >>>>
> >>>>
> >>>> I'll give you an example:
> >>>>
> >>>> We have a situation in our website where we only ask for the
user's
> >>> e-mail,
> >>>> and he can go on with the flow.
> >>>>
> >>>> On a determined step of the flow, if we identify that this
is an e-mail
> >>> that
> >>>> we already have in our user database, we ask him for his
password,
> >>>> authenticate him, and let him go on, if this e-mail is new,
we redirect
> >>> him
> >>>> to a page where he can register himself, and after that
continue on.
> >>>>
> >>>> On this specific case and others, we wouldn't like to
have
to redirect
> >>> him to
> >>>> keycloak, because that would interrupt the flow that we
designed.
> >>>>
> >>>>
> >>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
bburke(a)redhat.com <mailto:bburke@redhat.com> > wrote:
> >>>>
> >>>>
> >>>>
http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> >>>> userguide/html/direct-access- grants.html
> >>>>
> >>>> If you have to do it this way, please let us know why. Maybe
we can
> >>> solve the
> >>>> issue within keycloak itself.
> >>>>
> >>>>
> >>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> >>>>
> >>>>
> >>>>
> >>>> Just for the sake of conversation, if I did want to handle
my own login
> >>>> page, would there be a way for me to do it?
> >>>>
> >>>>
> >>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> >>>> < rodrigopsasaki(a)gmail.com
<mailto:rodrigopsasaki@gmail.com>
<mailto: rodrigopsasaki@gmail. com >> wrote:
> >>>>
> >>>> I don't want to miss out on all of that, which is why
we're
mostly
> >>>> migrating everything to use keycloak that way.
> >>>>
> >>>> It's just that we have cases that are so specific, that
it
would be
> >>>> better to authenticate the user in a different manner,
create the
> >>>> user session and everything, without redirecting.
> >>>>
> >>>> I'll have a look at that code. Thanks!
> >>>>
> >>>>
> >>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
bburke(a)redhat.com <mailto:bburke@redhat.com>
> >>>> <mailto: bburke(a)redhat.com <mailto:bburke@redhat.com>
>> wrote:
> >>>>
> >>>> If you want to handle your own login pages, IMO, you are
missing
> >>>> out on
> >>>> a lot of Keycloak features. Specifically:
> >>>>
> >>>> * SSO
> >>>> * forgot password
> >>>> * admin forced credential reset/setup
> >>>>
> >>>>
> >>>> Login pages can be styled however you like to look like your
> >>>> application.
> >>>>
> >>>> There is a REST api for obtaining an access token. Here is an
> >>>> example:
> >>>>
> >>>>
https://github.com/keycloak/ keycloak/blob/master/examples/
> >>>> demo-template/admin-access- app/src/main/java/org/
> >>>> keycloak/example/AdminClient. java
> >>>>
> >>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> >>>>> Is there a way to authenticate the user without having to
> >>>> input username
> >>>>> and password on the login page?
> >>>>>
> >>>>> For example:
> >>>>>
> >>>>> Say there's a situation in my application where I
request the
> >>>> user for
> >>>>> his username and password, and I wouldn't like to
redirect
> >>>> that to the
> >>>>> keycloak login page to authenticate him, would there be a
way
> >>>> for me to
> >>>>> do that?
> >>>>>
> >>>>> --
> >>>>> Rodrigo Sasaki
> >>>>>
> >>>>>
> >>>>> ______________________________ _________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >>>> <mailto: keycloak-user@lists.
jboss.org
<
http://jboss.org> >
> >>>>
> >>>>>
https://lists.jboss.org/ mailman/listinfo/keycloak-user
> >>>>>
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>>
http://bill.burkecentral.com
> >>>> ______________________________ _________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org> <mailto: keycloak-user@lists.
jboss.org <
http://jboss.org> >
> >>>>
> >>>>
https://lists.jboss.org/ mailman/listinfo/keycloak-user
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Rodrigo Sasaki
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Rodrigo Sasaki
> >>>>
> >>>> --
> >>>> Bill Burke
> >>>> JBoss, a division of Red Hat
> >>>>
http://bill.burkecentral.com
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Rodrigo Sasaki
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Rodrigo Sasaki
> >>>>
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
> >>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >>
> >> --
> >> Rodrigo Sasaki
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>
--
Rodrigo Sasaki