Added login_hint query param. It can be used with keycloak.js with either:
keycloak.login({ loginHint: 'username' })
or
keycloak.createLoginUrl({ loginHint: 'username' })
----- Original Message -----
From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Friday, 25 July, 2014 6:11:47 PM
Subject: Re: [keycloak-user] Authenticate user without using login page
It all worked great with the iframe, if I style it properly and use that
login_hint it should be perfect.
Now how should I go about developing/using this login_hint? Are there any
tips on this, or is it something that you plan on including yourselves?
On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com>
wrote:
> Just one more thing that wasn't completely clear to me.
>
> if I add a login page on an iframe, the user will be logged normally? Or
> would I have to get a token and keep managing it?
>
>
> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com
> > wrote:
>
>> That idea actually sounds amazing, I didn't look into keycloak.js yet,
>> but I'll see if I can get it working before I think about styling.
>>
>> Thank you very much!
>>
>>
>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian(a)redhat.com>
>> wrote:
>>
>>> I think we could quite easily add support for embedding the login page
>>> to keycloak.js. Rough idea:
>>>
>>> 1. Set an option on keycloak.js to use embedded login form. Would also
>>> require setting an id for a div where the form should be embedded.
>>> 2. When clicking on login instead of redirecting it would render an
>>> iframe element inside the configured div with the src of the iframe being
>>> the login page on Keycloak
>>> 3. The redirect-uri would be a special url on Keycloak that renders a
>>> similar page to the iframe session page that allows posting a message
>>> back
>>> to keycloak.js containing the code
>>> 4. Now keycloak.js can swap the code as usual
>>>
>>> One thing is that we'd probably need an additional styling of the login
>>> form, as you would want the login page to display differently when
>>> embedded
>>> compared to when you redirect to it.
>>>
>>> ----- Original Message -----
>>> > From: "Stian Thorgersen" <stian(a)redhat.com>
>>> > To: "Bill Burke" <bburke(a)redhat.com>
>>> > Cc: keycloak-user(a)lists.jboss.org
>>> > Sent: Friday, 25 July, 2014 2:30:44 PM
>>> > Subject: Re: [keycloak-user] Authenticate user without using login
page
>>> >
>>> > The cookies should be set fine, as the iframe would contain the login
>>> page
>>> > directly from Keycloak.
>>> >
>>> > It would redirect to a special page on the app that after extracting
>>> the code
>>> > would close the popup.
>>> >
>>> > ----- Original Message -----
>>> > > From: "Bill Burke" <bburke(a)redhat.com>
>>> > > To: "Stian Thorgersen" <stian(a)redhat.com>,
"Rodrigo Sasaki"
>>> > > <rodrigopsasaki(a)gmail.com>
>>> > > Cc: keycloak-user(a)lists.jboss.org
>>> > > Sent: Friday, 25 July, 2014 2:23:14 PM
>>> > > Subject: Re: [keycloak-user] Authenticate user without using
login
>>> page
>>> > >
>>> > > not sure this will work with SSO. I'm not sure CORS requests
can
>>> deal
>>> > > with cookies.
>>> > >
>>> > > On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
>>> > > > What about using an iframe in the popup to include the login
form
>>> from
>>> > > > Keycloak?
>>> > > >
>>> > > > You can send a HTTP POST to
>>> /auth-server/<realm>/tokens/grants/access
>>> > > > with
>>> > > > client id/secret and username/password and get a token back.
With
>>> > > > keycloak.js you can give it this token, not sure how/if this
flow
>>> works
>>> > > > with the server-side (Undertow) adapter.
>>> > > >
>>> > > > ----- Original Message -----
>>> > > >> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>> > > >> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>> > > >> Cc: "Bill Burke" <bburke(a)redhat.com>,
>>> keycloak-user(a)lists.jboss.org
>>> > > >> Sent: Friday, 25 July, 2014 2:08:43 PM
>>> > > >> Subject: Re: [keycloak-user] Authenticate user without
using
>>> login page
>>> > > >>
>>> > > >> Actually, the main problem is one of the flows where the
password
>>> > > >> request
>>> > > >> appears in a popup, there's no redirect at all, and
one of the
>>> things
>>> > > >> that
>>> > > >> were agreed upon when decided to change the
authentication
>>> provider, was
>>> > > >> that nothing would be altered in the user experience.
>>> > > >>
>>> > > >> So I really have to try and make keycloak "fit
in" in these
>>> particular
>>> > > >> scenarios, they are not used as much as the ones where
we'll use
>>> the
>>> > > >> keycloak login page with our own style, but I do have to
make
>>> them work.
>>> > > >>
>>> > > >> When you say I could use direct grant to get a token,
would that
>>> count
>>> > > >> as
>>> > > >> the same as an user logging in? It's not really clear
to me right
>>> now
>>> > > >>
>>> > > >>
>>> > > >> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
>>> stian(a)redhat.com>
>>> > > >> wrote:
>>> > > >>
>>> > > >>> Yes, but I'm wondering why the following
won't work:
>>> > > >>>
>>> > > >>> 1. Ask for users email (in your app, not KC)
>>> > > >>> 2. Once you get to the flow where a user has to
login:
>>> > > >>> a) If user doesn't exist in KC (you can use
admin endpoints
>>> to
>>> > > >>> check
>>> > > >>> this) redirect to registration page on KC with email
already
>>> entered
>>> > > >>> b) If user does exist in KC redirect to login
page again
>>> with email
>>> > > >>> already entered
>>> > > >>> 3. Redirect back to app
>>> > > >>>
>>> > > >>> ----- Original Message -----
>>> > > >>>> From: "Bill Burke"
<bburke(a)redhat.com>
>>> > > >>>> To: "Stian Thorgersen"
<stian(a)redhat.com>, "Rodrigo Sasaki" <
>>> > > >>> rodrigopsasaki(a)gmail.com>
>>> > > >>>> Cc: keycloak-user(a)lists.jboss.org
>>> > > >>>> Sent: Friday, 25 July, 2014 1:48:45 PM
>>> > > >>>> Subject: Re: [keycloak-user] Authenticate user
without using
>>> login
>>> > > >>>> page
>>> > > >>>>
>>> > > >>>> It is because their first login screen is just
something asking
>>> for an
>>> > > >>>> email. If the email doesn't exist as a user,
they want a
>>> redirect to
>>> > > >>>> the register page.
>>> > > >>>>
>>> > > >>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
>>> > > >>>>> Yes, you can use the direct grant to retrieve
a token.
>>> > > >>>>>
>>> > > >>>>> I'd like to know why redirecting to the
login form, when
>>> styled to
>>> > > >>> match
>>> > > >>>>> your website, and using login_hint to
pre-fill username/email
>>> doesn't
>>> > > >>>>> work. Maybe there's something we can do
so that you can still
>>> use the
>>> > > >>>>> "proper" flow?
>>> > > >>>>>
>>> > > >>>>> ----- Original Message -----
>>> > > >>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>> > > >>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>> > > >>>>>> Cc: "Bill Burke"
<bburke(a)redhat.com>,
>>> keycloak-user(a)lists.jboss.org
>>> > > >>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
>>> > > >>>>>> Subject: Re: [keycloak-user] Authenticate
user without using
>>> login
>>> > > >>> page
>>> > > >>>>>>
>>> > > >>>>>> Sorry to keep insisting on this, but
since it's being a huge
>>> > > >>> showstopper
>>> > > >>>>>> so
>>> > > >>>>>> far, I just have to ask.
>>> > > >>>>>>
>>> > > >>>>>> If I don't mind trading off SSO and
all the other benefits
>>> that the
>>> > > >>>>>> Keycloak login page provides me, would
there be a way for me
>>> to do
>>> > > >>> what I
>>> > > >>>>>> want?
>>> > > >>>>>>
>>> > > >>>>>>
>>> > > >>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian
Thorgersen <
>>> stian(a)redhat.com>
>>> > > >>>>>> wrote:
>>> > > >>>>>>
>>> > > >>>>>>> We could add support for login_hint
query param so you can
>>> have the
>>> > > >>>>>>> username/email field on the login
form pre-filled for the
>>> user, so
>>> > > >>> once a
>>> > > >>>>>>> user has to authenticate you redirect
to login on KC and all
>>> they
>>> > > >>> would
>>> > > >>>>>>> have to do is enter their password.
>>> > > >>>>>>>
>>> > > >>>>>>> If you bypass the login forms
you'd loose SSO, multi-factor
>>> > > >>>>>>> support,
>>> > > >>>>>>> required actions, recover password,
etc, etc, etc..
>>> > > >>>>>>>
>>> > > >>>>>>> As Bill mentioned we provide very
flexible login forms that
>>> can be
>>> > > >>>>>>> templated using either just css or
even FreeMarker templates
>>> if you
>>> > > >>> need
>>> > > >>>>>>> a
>>> > > >>>>>>> lot of customization, so you should
be able to make the
>>> login form
>>> > > >>>>>>> integrate well with your website.
>>> > > >>>>>>>
>>> > > >>>>>>> ----- Original Message -----
>>> > > >>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>> > > >>>>>>>> To: "Bill Burke"
<bburke(a)redhat.com>
>>> > > >>>>>>>> Cc:
keycloak-user(a)lists.jboss.org
>>> > > >>>>>>>> Sent: Thursday, 17 July, 2014
6:52:08 PM
>>> > > >>>>>>>> Subject: Re: [keycloak-user]
Authenticate user without
>>> using login
>>> > > >>> page
>>> > > >>>>>>>>
>>> > > >>>>>>>> You think there could be a way to
do this within keycloak
>>> itself?
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM,
Rodrigo Sasaki <
>>> > > >>>>>>> rodrigopsasaki(a)gmail.com >
>>> > > >>>>>>>> wrote:
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> I'll give you an example:
>>> > > >>>>>>>>
>>> > > >>>>>>>> We have a situation in our
website where we only ask for the
>>> > > >>>>>>>> user's
>>> > > >>>>>>> e-mail,
>>> > > >>>>>>>> and he can go on with the flow.
>>> > > >>>>>>>>
>>> > > >>>>>>>> On a determined step of the flow,
if we identify that this
>>> is an
>>> > > >>> e-mail
>>> > > >>>>>>> that
>>> > > >>>>>>>> we already have in our user
database, we ask him for his
>>> password,
>>> > > >>>>>>>> authenticate him, and let him go
on, if this e-mail is new,
>>> we
>>> > > >>> redirect
>>> > > >>>>>>> him
>>> > > >>>>>>>> to a page where he can register
himself, and after that
>>> continue
>>> > > >>>>>>>> on.
>>> > > >>>>>>>>
>>> > > >>>>>>>> On this specific case and others,
we wouldn't like to have
>>> to
>>> > > >>> redirect
>>> > > >>>>>>> him to
>>> > > >>>>>>>> keycloak, because that would
interrupt the flow that we
>>> designed.
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM,
Bill Burke <
>>> bburke(a)redhat.com >
>>> > > >>> wrote:
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
http://docs.jboss.org/
keycloak/docs/1.0-beta-3/
>>> > > >>>>>>>> userguide/html/direct-access-
grants.html
>>> > > >>>>>>>>
>>> > > >>>>>>>> If you have to do it this way,
please let us know why.
>>> Maybe we
>>> > > >>>>>>>> can
>>> > > >>>>>>> solve the
>>> > > >>>>>>>> issue within keycloak itself.
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> On 7/16/2014 3:35 PM, Rodrigo
Sasaki wrote:
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> Just for the sake of
conversation, if I did want to handle
>>> my own
>>> > > >>> login
>>> > > >>>>>>>> page, would there be a way for me
to do it?
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM,
Rodrigo Sasaki
>>> > > >>>>>>>> < rodrigopsasaki(a)gmail.com
<mailto: rodrigopsasaki@gmail.
>>> com >>
>>> > > >>> wrote:
>>> > > >>>>>>>>
>>> > > >>>>>>>> I don't want to miss out on
all of that, which is why we're
>>> mostly
>>> > > >>>>>>>> migrating everything to use
keycloak that way.
>>> > > >>>>>>>>
>>> > > >>>>>>>> It's just that we have cases
that are so specific, that it
>>> would
>>> > > >>>>>>>> be
>>> > > >>>>>>>> better to authenticate the user
in a different manner,
>>> create the
>>> > > >>>>>>>> user session and everything,
without redirecting.
>>> > > >>>>>>>>
>>> > > >>>>>>>> I'll have a look at that
code. Thanks!
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM,
Bill Burke <
>>> bburke(a)redhat.com
>>> > > >>>>>>>> <mailto: bburke(a)redhat.com
>> wrote:
>>> > > >>>>>>>>
>>> > > >>>>>>>> If you want to handle your own
login pages, IMO, you are
>>> missing
>>> > > >>>>>>>> out on
>>> > > >>>>>>>> a lot of Keycloak features.
Specifically:
>>> > > >>>>>>>>
>>> > > >>>>>>>> * SSO
>>> > > >>>>>>>> * forgot password
>>> > > >>>>>>>> * admin forced credential
reset/setup
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> Login pages can be styled however
you like to look like your
>>> > > >>>>>>>> application.
>>> > > >>>>>>>>
>>> > > >>>>>>>> There is a REST api for obtaining
an access token. Here is
>>> an
>>> > > >>>>>>>> example:
>>> > > >>>>>>>>
>>> > > >>>>>>>>
https://github.com/keycloak/
keycloak/blob/master/examples/
>>> > > >>>>>>>> demo-template/admin-access-
app/src/main/java/org/
>>> > > >>>>>>>> keycloak/example/AdminClient.
java
>>> > > >>>>>>>>
>>> > > >>>>>>>> On 7/15/2014 12:36 PM, Rodrigo
Sasaki wrote:
>>> > > >>>>>>>>> Is there a way to
authenticate the user without having to
>>> > > >>>>>>>> input username
>>> > > >>>>>>>>> and password on the login
page?
>>> > > >>>>>>>>>
>>> > > >>>>>>>>> For example:
>>> > > >>>>>>>>>
>>> > > >>>>>>>>> Say there's a situation
in my application where I request
>>> the
>>> > > >>>>>>>> user for
>>> > > >>>>>>>>> his username and password,
and I wouldn't like to redirect
>>> > > >>>>>>>> that to the
>>> > > >>>>>>>>> keycloak login page to
authenticate him, would there be a
>>> way
>>> > > >>>>>>>> for me to
>>> > > >>>>>>>>> do that?
>>> > > >>>>>>>>>
>>> > > >>>>>>>>> --
>>> > > >>>>>>>>> Rodrigo Sasaki
>>> > > >>>>>>>>>
>>> > > >>>>>>>>>
>>> > > >>>>>>>>>
______________________________ _________________
>>> > > >>>>>>>>> keycloak-user mailing list
>>> > > >>>>>>>>>
keycloak-user(a)lists.jboss.org
>>> > > >>>>>>>> <mailto: keycloak-user@lists.
jboss.org >
>>> > > >>>>>>>>
>>> > > >>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>>> > > >>>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> --
>>> > > >>>>>>>> Bill Burke
>>> > > >>>>>>>> JBoss, a division of Red Hat
>>> > > >>>>>>>>
http://bill.burkecentral.com
>>> > > >>>>>>>> ______________________________
_________________
>>> > > >>>>>>>> keycloak-user mailing list
>>> > > >>>>>>>> keycloak-user(a)lists.jboss.org
<mailto: keycloak-user@lists.
>>> > > >>>
jboss.org >
>>> > > >>>>>>>>
>>> > > >>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> --
>>> > > >>>>>>>> Rodrigo Sasaki
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> --
>>> > > >>>>>>>> Rodrigo Sasaki
>>> > > >>>>>>>>
>>> > > >>>>>>>> --
>>> > > >>>>>>>> Bill Burke
>>> > > >>>>>>>> JBoss, a division of Red Hat
>>> > > >>>>>>>>
http://bill.burkecentral.com
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> --
>>> > > >>>>>>>> Rodrigo Sasaki
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>>
>>> > > >>>>>>>> --
>>> > > >>>>>>>> Rodrigo Sasaki
>>> > > >>>>>>>>
>>> > > >>>>>>>>
_______________________________________________
>>> > > >>>>>>>> keycloak-user mailing list
>>> > > >>>>>>>> keycloak-user(a)lists.jboss.org
>>> > > >>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > > >>>>>>>
>>> > > >>>>>>
>>> > > >>>>>>
>>> > > >>>>>>
>>> > > >>>>>> --
>>> > > >>>>>> Rodrigo Sasaki
>>> > > >>>>>>
>>> > > >>>>
>>> > > >>>> --
>>> > > >>>> Bill Burke
>>> > > >>>> JBoss, a division of Red Hat
>>> > > >>>>
http://bill.burkecentral.com
>>> > > >>>>
>>> > > >>>
>>> > > >>
>>> > > >>
>>> > > >>
>>> > > >> --
>>> > > >> Rodrigo Sasaki
>>> > > >>
>>> > >
>>> > > --
>>> > > Bill Burke
>>> > > JBoss, a division of Red Hat
>>> > >
http://bill.burkecentral.com
>>> > >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user(a)lists.jboss.org
>>> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
>
>
>
> --
> Rodrigo Sasaki
>
--
Rodrigo Sasaki