It all worked great with the iframe, if I style it properly and use that
login_hint it should be perfect.
Now how should I go about developing/using this login_hint? Are there any
tips on this, or is it something that you plan on including yourselves?
On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com>
wrote:
Just one more thing that wasn't completely clear to me.
if I add a login page on an iframe, the user will be logged normally? Or
would I have to get a token and keep managing it?
On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com
> wrote:
> That idea actually sounds amazing, I didn't look into keycloak.js yet,
> but I'll see if I can get it working before I think about styling.
>
> Thank you very much!
>
>
> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian(a)redhat.com>
> wrote:
>
>> I think we could quite easily add support for embedding the login page
>> to keycloak.js. Rough idea:
>>
>> 1. Set an option on keycloak.js to use embedded login form. Would also
>> require setting an id for a div where the form should be embedded.
>> 2. When clicking on login instead of redirecting it would render an
>> iframe element inside the configured div with the src of the iframe being
>> the login page on Keycloak
>> 3. The redirect-uri would be a special url on Keycloak that renders a
>> similar page to the iframe session page that allows posting a message back
>> to keycloak.js containing the code
>> 4. Now keycloak.js can swap the code as usual
>>
>> One thing is that we'd probably need an additional styling of the login
>> form, as you would want the login page to display differently when embedded
>> compared to when you redirect to it.
>>
>> ----- Original Message -----
>> > From: "Stian Thorgersen" <stian(a)redhat.com>
>> > To: "Bill Burke" <bburke(a)redhat.com>
>> > Cc: keycloak-user(a)lists.jboss.org
>> > Sent: Friday, 25 July, 2014 2:30:44 PM
>> > Subject: Re: [keycloak-user] Authenticate user without using login page
>> >
>> > The cookies should be set fine, as the iframe would contain the login
>> page
>> > directly from Keycloak.
>> >
>> > It would redirect to a special page on the app that after extracting
>> the code
>> > would close the popup.
>> >
>> > ----- Original Message -----
>> > > From: "Bill Burke" <bburke(a)redhat.com>
>> > > To: "Stian Thorgersen" <stian(a)redhat.com>,
"Rodrigo Sasaki"
>> > > <rodrigopsasaki(a)gmail.com>
>> > > Cc: keycloak-user(a)lists.jboss.org
>> > > Sent: Friday, 25 July, 2014 2:23:14 PM
>> > > Subject: Re: [keycloak-user] Authenticate user without using login
>> page
>> > >
>> > > not sure this will work with SSO. I'm not sure CORS requests can
>> deal
>> > > with cookies.
>> > >
>> > > On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
>> > > > What about using an iframe in the popup to include the login form
>> from
>> > > > Keycloak?
>> > > >
>> > > > You can send a HTTP POST to
>> /auth-server/<realm>/tokens/grants/access
>> > > > with
>> > > > client id/secret and username/password and get a token back. With
>> > > > keycloak.js you can give it this token, not sure how/if this flow
>> works
>> > > > with the server-side (Undertow) adapter.
>> > > >
>> > > > ----- Original Message -----
>> > > >> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>> > > >> To: "Stian Thorgersen" <stian(a)redhat.com>
>> > > >> Cc: "Bill Burke" <bburke(a)redhat.com>,
>> keycloak-user(a)lists.jboss.org
>> > > >> Sent: Friday, 25 July, 2014 2:08:43 PM
>> > > >> Subject: Re: [keycloak-user] Authenticate user without using
>> login page
>> > > >>
>> > > >> Actually, the main problem is one of the flows where the
password
>> > > >> request
>> > > >> appears in a popup, there's no redirect at all, and one of
the
>> things
>> > > >> that
>> > > >> were agreed upon when decided to change the authentication
>> provider, was
>> > > >> that nothing would be altered in the user experience.
>> > > >>
>> > > >> So I really have to try and make keycloak "fit in"
in these
>> particular
>> > > >> scenarios, they are not used as much as the ones where
we'll use
>> the
>> > > >> keycloak login page with our own style, but I do have to make
>> them work.
>> > > >>
>> > > >> When you say I could use direct grant to get a token, would
that
>> count
>> > > >> as
>> > > >> the same as an user logging in? It's not really clear to
me right
>> now
>> > > >>
>> > > >>
>> > > >> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
>> stian(a)redhat.com>
>> > > >> wrote:
>> > > >>
>> > > >>> Yes, but I'm wondering why the following won't
work:
>> > > >>>
>> > > >>> 1. Ask for users email (in your app, not KC)
>> > > >>> 2. Once you get to the flow where a user has to login:
>> > > >>> a) If user doesn't exist in KC (you can use admin
endpoints
>> to
>> > > >>> check
>> > > >>> this) redirect to registration page on KC with email
already
>> entered
>> > > >>> b) If user does exist in KC redirect to login page
again
>> with email
>> > > >>> already entered
>> > > >>> 3. Redirect back to app
>> > > >>>
>> > > >>> ----- Original Message -----
>> > > >>>> From: "Bill Burke"
<bburke(a)redhat.com>
>> > > >>>> To: "Stian Thorgersen"
<stian(a)redhat.com>, "Rodrigo Sasaki" <
>> > > >>> rodrigopsasaki(a)gmail.com>
>> > > >>>> Cc: keycloak-user(a)lists.jboss.org
>> > > >>>> Sent: Friday, 25 July, 2014 1:48:45 PM
>> > > >>>> Subject: Re: [keycloak-user] Authenticate user without
using
>> login
>> > > >>>> page
>> > > >>>>
>> > > >>>> It is because their first login screen is just
something asking
>> for an
>> > > >>>> email. If the email doesn't exist as a user, they
want a
>> redirect to
>> > > >>>> the register page.
>> > > >>>>
>> > > >>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
>> > > >>>>> Yes, you can use the direct grant to retrieve a
token.
>> > > >>>>>
>> > > >>>>> I'd like to know why redirecting to the login
form, when
>> styled to
>> > > >>> match
>> > > >>>>> your website, and using login_hint to pre-fill
username/email
>> doesn't
>> > > >>>>> work. Maybe there's something we can do so
that you can still
>> use the
>> > > >>>>> "proper" flow?
>> > > >>>>>
>> > > >>>>> ----- Original Message -----
>> > > >>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>> > > >>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>> > > >>>>>> Cc: "Bill Burke"
<bburke(a)redhat.com>,
>> keycloak-user(a)lists.jboss.org
>> > > >>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
>> > > >>>>>> Subject: Re: [keycloak-user] Authenticate user
without using
>> login
>> > > >>> page
>> > > >>>>>>
>> > > >>>>>> Sorry to keep insisting on this, but since
it's being a huge
>> > > >>> showstopper
>> > > >>>>>> so
>> > > >>>>>> far, I just have to ask.
>> > > >>>>>>
>> > > >>>>>> If I don't mind trading off SSO and all
the other benefits
>> that the
>> > > >>>>>> Keycloak login page provides me, would there
be a way for me
>> to do
>> > > >>> what I
>> > > >>>>>> want?
>> > > >>>>>>
>> > > >>>>>>
>> > > >>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian
Thorgersen <
>> stian(a)redhat.com>
>> > > >>>>>> wrote:
>> > > >>>>>>
>> > > >>>>>>> We could add support for login_hint query
param so you can
>> have the
>> > > >>>>>>> username/email field on the login form
pre-filled for the
>> user, so
>> > > >>> once a
>> > > >>>>>>> user has to authenticate you redirect to
login on KC and all
>> they
>> > > >>> would
>> > > >>>>>>> have to do is enter their password.
>> > > >>>>>>>
>> > > >>>>>>> If you bypass the login forms you'd
loose SSO, multi-factor
>> > > >>>>>>> support,
>> > > >>>>>>> required actions, recover password, etc,
etc, etc..
>> > > >>>>>>>
>> > > >>>>>>> As Bill mentioned we provide very flexible
login forms that
>> can be
>> > > >>>>>>> templated using either just css or even
FreeMarker templates
>> if you
>> > > >>> need
>> > > >>>>>>> a
>> > > >>>>>>> lot of customization, so you should be
able to make the
>> login form
>> > > >>>>>>> integrate well with your website.
>> > > >>>>>>>
>> > > >>>>>>> ----- Original Message -----
>> > > >>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>> > > >>>>>>>> To: "Bill Burke"
<bburke(a)redhat.com>
>> > > >>>>>>>> Cc: keycloak-user(a)lists.jboss.org
>> > > >>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08
PM
>> > > >>>>>>>> Subject: Re: [keycloak-user]
Authenticate user without
>> using login
>> > > >>> page
>> > > >>>>>>>>
>> > > >>>>>>>> You think there could be a way to do
this within keycloak
>> itself?
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM,
Rodrigo Sasaki <
>> > > >>>>>>> rodrigopsasaki(a)gmail.com >
>> > > >>>>>>>> wrote:
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> I'll give you an example:
>> > > >>>>>>>>
>> > > >>>>>>>> We have a situation in our website
where we only ask for the
>> > > >>>>>>>> user's
>> > > >>>>>>> e-mail,
>> > > >>>>>>>> and he can go on with the flow.
>> > > >>>>>>>>
>> > > >>>>>>>> On a determined step of the flow, if
we identify that this
>> is an
>> > > >>> e-mail
>> > > >>>>>>> that
>> > > >>>>>>>> we already have in our user database,
we ask him for his
>> password,
>> > > >>>>>>>> authenticate him, and let him go on,
if this e-mail is new,
>> we
>> > > >>> redirect
>> > > >>>>>>> him
>> > > >>>>>>>> to a page where he can register
himself, and after that
>> continue
>> > > >>>>>>>> on.
>> > > >>>>>>>>
>> > > >>>>>>>> On this specific case and others, we
wouldn't like to have
>> to
>> > > >>> redirect
>> > > >>>>>>> him to
>> > > >>>>>>>> keycloak, because that would interrupt
the flow that we
>> designed.
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill
Burke <
>> bburke(a)redhat.com >
>> > > >>> wrote:
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
http://docs.jboss.org/
keycloak/docs/1.0-beta-3/
>> > > >>>>>>>> userguide/html/direct-access-
grants.html
>> > > >>>>>>>>
>> > > >>>>>>>> If you have to do it this way, please
let us know why.
>> Maybe we
>> > > >>>>>>>> can
>> > > >>>>>>> solve the
>> > > >>>>>>>> issue within keycloak itself.
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki
wrote:
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> Just for the sake of conversation, if
I did want to handle
>> my own
>> > > >>> login
>> > > >>>>>>>> page, would there be a way for me to
do it?
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM,
Rodrigo Sasaki
>> > > >>>>>>>> < rodrigopsasaki(a)gmail.com
<mailto: rodrigopsasaki@gmail.
>> com >>
>> > > >>> wrote:
>> > > >>>>>>>>
>> > > >>>>>>>> I don't want to miss out on all of
that, which is why we're
>> mostly
>> > > >>>>>>>> migrating everything to use keycloak
that way.
>> > > >>>>>>>>
>> > > >>>>>>>> It's just that we have cases that
are so specific, that it
>> would
>> > > >>>>>>>> be
>> > > >>>>>>>> better to authenticate the user in a
different manner,
>> create the
>> > > >>>>>>>> user session and everything, without
redirecting.
>> > > >>>>>>>>
>> > > >>>>>>>> I'll have a look at that code.
Thanks!
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill
Burke <
>> bburke(a)redhat.com
>> > > >>>>>>>> <mailto: bburke(a)redhat.com >>
wrote:
>> > > >>>>>>>>
>> > > >>>>>>>> If you want to handle your own login
pages, IMO, you are
>> missing
>> > > >>>>>>>> out on
>> > > >>>>>>>> a lot of Keycloak features.
Specifically:
>> > > >>>>>>>>
>> > > >>>>>>>> * SSO
>> > > >>>>>>>> * forgot password
>> > > >>>>>>>> * admin forced credential reset/setup
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> Login pages can be styled however you
like to look like your
>> > > >>>>>>>> application.
>> > > >>>>>>>>
>> > > >>>>>>>> There is a REST api for obtaining an
access token. Here is
>> an
>> > > >>>>>>>> example:
>> > > >>>>>>>>
>> > > >>>>>>>>
https://github.com/keycloak/
keycloak/blob/master/examples/
>> > > >>>>>>>> demo-template/admin-access-
app/src/main/java/org/
>> > > >>>>>>>> keycloak/example/AdminClient. java
>> > > >>>>>>>>
>> > > >>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki
wrote:
>> > > >>>>>>>>> Is there a way to authenticate the
user without having to
>> > > >>>>>>>> input username
>> > > >>>>>>>>> and password on the login page?
>> > > >>>>>>>>>
>> > > >>>>>>>>> For example:
>> > > >>>>>>>>>
>> > > >>>>>>>>> Say there's a situation in my
application where I request
>> the
>> > > >>>>>>>> user for
>> > > >>>>>>>>> his username and password, and I
wouldn't like to redirect
>> > > >>>>>>>> that to the
>> > > >>>>>>>>> keycloak login page to
authenticate him, would there be a
>> way
>> > > >>>>>>>> for me to
>> > > >>>>>>>>> do that?
>> > > >>>>>>>>>
>> > > >>>>>>>>> --
>> > > >>>>>>>>> Rodrigo Sasaki
>> > > >>>>>>>>>
>> > > >>>>>>>>>
>> > > >>>>>>>>> ______________________________
_________________
>> > > >>>>>>>>> keycloak-user mailing list
>> > > >>>>>>>>> keycloak-user(a)lists.jboss.org
>> > > >>>>>>>> <mailto: keycloak-user@lists.
jboss.org >
>> > > >>>>>>>>
>> > > >>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>> > > >>>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> --
>> > > >>>>>>>> Bill Burke
>> > > >>>>>>>> JBoss, a division of Red Hat
>> > > >>>>>>>>
http://bill.burkecentral.com
>> > > >>>>>>>> ______________________________
_________________
>> > > >>>>>>>> keycloak-user mailing list
>> > > >>>>>>>> keycloak-user(a)lists.jboss.org
<mailto: keycloak-user@lists.
>> > > >>>
jboss.org >
>> > > >>>>>>>>
>> > > >>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> --
>> > > >>>>>>>> Rodrigo Sasaki
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> --
>> > > >>>>>>>> Rodrigo Sasaki
>> > > >>>>>>>>
>> > > >>>>>>>> --
>> > > >>>>>>>> Bill Burke
>> > > >>>>>>>> JBoss, a division of Red Hat
>> > > >>>>>>>>
http://bill.burkecentral.com
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> --
>> > > >>>>>>>> Rodrigo Sasaki
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>>
>> > > >>>>>>>> --
>> > > >>>>>>>> Rodrigo Sasaki
>> > > >>>>>>>>
>> > > >>>>>>>>
_______________________________________________
>> > > >>>>>>>> keycloak-user mailing list
>> > > >>>>>>>> keycloak-user(a)lists.jboss.org
>> > > >>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > > >>>>>>>
>> > > >>>>>>
>> > > >>>>>>
>> > > >>>>>>
>> > > >>>>>> --
>> > > >>>>>> Rodrigo Sasaki
>> > > >>>>>>
>> > > >>>>
>> > > >>>> --
>> > > >>>> Bill Burke
>> > > >>>> JBoss, a division of Red Hat
>> > > >>>>
http://bill.burkecentral.com
>> > > >>>>
>> > > >>>
>> > > >>
>> > > >>
>> > > >>
>> > > >> --
>> > > >> Rodrigo Sasaki
>> > > >>
>> > >
>> > > --
>> > > Bill Burke
>> > > JBoss, a division of Red Hat
>> > >
http://bill.burkecentral.com
>> > >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Rodrigo Sasaki
>
--
Rodrigo Sasaki