Re: [keycloak-user] Authenticate user without using login page

What about using an iframe in the popup to include the login form from Keycloak? You can send a HTTP POST to /auth-server/<realm>/tokens/grants/access with client id/secret and username/password and get a token back. With keycloak.js you can give it this token, not sure how/if this flow works with the server-side (Undertow) adapter. ----- Original Message ----- > From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org > Sent: Friday, 25 July, 2014 2:08:43 PM > Subject: Re: [keycloak-user] Authenticate user without using login page > > Actually, the main problem is one of the flows where the password request > appears in a popup, there's no redirect at all, and one of the things that > were agreed upon when decided to change the authentication provider, was > that nothing would be altered in the user experience. > > So I really have to try and make keycloak "fit in" in these particular > scenarios, they are not used as much as the ones where we'll use the > keycloak login page with our own style, but I do have to make them work. > > When you say I could use direct grant to get a token, would that count as > the same as an user logging in? It's not really clear to me right now > > > On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <stian(a)redhat.com&gt; wrote: > >> Yes, but I'm wondering why the following won't work: >> >> 1. Ask for users email (in your app, not KC) >> 2. Once you get to the flow where a user has to login: >> a) If user doesn't exist in KC (you can use admin endpoints to check >> this) redirect to registration page on KC with email already entered >> b) If user does exist in KC redirect to login page again with email >> already entered >> 3. Redirect back to app >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Rodrigo Sasaki" < >> rodrigopsasaki(a)gmail.com&gt; >>> Cc: keycloak-user(a)lists.jboss.org >>> Sent: Friday, 25 July, 2014 1:48:45 PM >>> Subject: Re: [keycloak-user] Authenticate user without using login page >>> >>> It is because their first login screen is just something asking for an >>> email. If the email doesn't exist as a user, they want a redirect to >>> the register page. >>> >>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote: >>>> Yes, you can use the direct grant to retrieve a token. >>>> >>>> I'd like to know why redirecting to the login form, when styled to >> match >>>> your website, and using login_hint to pre-fill username/email doesn't >>>> work. Maybe there's something we can do so that you can still use the >>>> "proper" flow? >>>> >>>> ----- Original Message ----- >>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; >>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>> Cc: "Bill Burke" <bburke(a)redhat.com&gt;, keycloak-user(a)lists.jboss.org >>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM >>>>> Subject: Re: [keycloak-user] Authenticate user without using login >> page >>>>> >>>>> Sorry to keep insisting on this, but since it's being a huge >> showstopper >>>>> so >>>>> far, I just have to ask. >>>>> >>>>> If I don't mind trading off SSO and all the other benefits that the >>>>> Keycloak login page provides me, would there be a way for me to do >> what I >>>>> want? >>>>> >>>>> >>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <stian(a)redhat.com&gt; >>>>> wrote: >>>>> >>>>>> We could add support for login_hint query param so you can have the >>>>>> username/email field on the login form pre-filled for the user, so >> once a >>>>>> user has to authenticate you redirect to login on KC and all they >> would >>>>>> have to do is enter their password. >>>>>> >>>>>> If you bypass the login forms you'd loose SSO, multi-factor support, >>>>>> required actions, recover password, etc, etc, etc.. >>>>>> >>>>>> As Bill mentioned we provide very flexible login forms that can be >>>>>> templated using either just css or even FreeMarker templates if you >> need >>>>>> a >>>>>> lot of customization, so you should be able to make the login form >>>>>> integrate well with your website. >>>>>> >>>>>> ----- Original Message ----- >>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com&gt; >>>>>>> To: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>> Cc: keycloak-user(a)lists.jboss.org >>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM >>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login >> page >>>>>>> >>>>>>> You think there could be a way to do this within keycloak itself? >>>>>>> >>>>>>> >>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki < >>>>>> rodrigopsasaki(a)gmail.com > >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> I'll give you an example: >>>>>>> >>>>>>> We have a situation in our website where we only ask for the user's >>>>>> e-mail, >>>>>>> and he can go on with the flow. >>>>>>> >>>>>>> On a determined step of the flow, if we identify that this is an >> e-mail >>>>>> that >>>>>>> we already have in our user database, we ask him for his password, >>>>>>> authenticate him, and let him go on, if this e-mail is new, we >> redirect >>>>>> him >>>>>>> to a page where he can register himself, and after that continue on. >>>>>>> >>>>>>> On this specific case and others, we wouldn't like to have to >> redirect >>>>>> him to >>>>>>> keycloak, because that would interrupt the flow that we designed. >>>>>>> >>>>>>> >>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke < bburke(a)redhat.com > >> wrote: >>>>>>> >>>>>>> >>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/ >>>>>>> userguide/html/direct-access- grants.html >>>>>>> >>>>>>> If you have to do it this way, please let us know why. Maybe we can >>>>>> solve the >>>>>>> issue within keycloak itself. >>>>>>> >>>>>>> >>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> Just for the sake of conversation, if I did want to handle my own >> login >>>>>>> page, would there be a way for me to do it? >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki >>>>>>> < rodrigopsasaki(a)gmail.com <mailto: rodrigopsasaki@gmail. com >> >> wrote: >>>>>>> >>>>>>> I don't want to miss out on all of that, which is why we're mostly >>>>>>> migrating everything to use keycloak that way. >>>>>>> >>>>>>> It's just that we have cases that are so specific, that it would be >>>>>>> better to authenticate the user in a different manner, create the >>>>>>> user session and everything, without redirecting. >>>>>>> >>>>>>> I'll have a look at that code. Thanks! >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke < bburke(a)redhat.com >>>>>>> <mailto: bburke(a)redhat.com >> wrote: >>>>>>> >>>>>>> If you want to handle your own login pages, IMO, you are missing >>>>>>> out on >>>>>>> a lot of Keycloak features. Specifically: >>>>>>> >>>>>>> * SSO >>>>>>> * forgot password >>>>>>> * admin forced credential reset/setup >>>>>>> >>>>>>> >>>>>>> Login pages can be styled however you like to look like your >>>>>>> application. >>>>>>> >>>>>>> There is a REST api for obtaining an access token. Here is an >>>>>>> example: >>>>>>> >>>>>>> https://github.com/keycloak/ keycloak/blob/master/examples/ >>>>>>> demo-template/admin-access- app/src/main/java/org/ >>>>>>> keycloak/example/AdminClient. java >>>>>>> >>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote: >>>>>>>> Is there a way to authenticate the user without having to >>>>>>> input username >>>>>>>> and password on the login page? >>>>>>>> >>>>>>>> For example: >>>>>>>> >>>>>>>> Say there's a situation in my application where I request the >>>>>>> user for >>>>>>>> his username and password, and I wouldn't like to redirect >>>>>>> that to the >>>>>>>> keycloak login page to authenticate him, would there be a way >>>>>>> for me to >>>>>>>> do that? >>>>>>>> >>>>>>>> -- >>>>>>>> Rodrigo Sasaki >>>>>>>> >>>>>>>> >>>>>>>> ______________________________ _________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user(a)lists.jboss.org >>>>>>> <mailto: keycloak-user@lists. jboss.org > >>>>>>> >>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hat >>>>>>> http://bill.burkecentral.com >>>>>>> ______________________________ _________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user(a)lists.jboss.org <mailto: keycloak-user@lists. >> jboss.org > >>>>>>> >>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Rodrigo Sasaki >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Rodrigo Sasaki >>>>>>> >>>>>>> -- >>>>>>> Bill Burke >>>>>>> JBoss, a division of Red Hat >>>>>>> http://bill.burkecentral.com >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Rodrigo Sasaki >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Rodrigo Sasaki >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user(a)lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Rodrigo Sasaki >>>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> >> > > > > -- > Rodrigo Sasaki >