OpenID Connect protocol is used to implement this?
On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
Added login_hint query param. It can be used with keycloak.js with
either:
keycloak.login({ loginHint: 'username' })
or
keycloak.createLoginUrl({ loginHint: 'username' })
----- Original Message -----
> From: "Rodrigo Sasaki" <rodrigopsasaki(a)gmail.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
> Sent: Friday, 25 July, 2014 6:11:47 PM
> Subject: Re: [keycloak-user] Authenticate user without using login page
>
> It all worked great with the iframe, if I style it properly and use that
> login_hint it should be perfect.
>
> Now how should I go about developing/using this login_hint? Are there any
> tips on this, or is it something that you plan on including yourselves?
>
>
> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com>
> wrote:
>
>> Just one more thing that wasn't completely clear to me.
>>
>> if I add a login page on an iframe, the user will be logged normally? Or
>> would I have to get a token and keep managing it?
>>
>>
>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki <rodrigopsasaki(a)gmail.com
>>> wrote:
>>
>>> That idea actually sounds amazing, I didn't look into keycloak.js yet,
>>> but I'll see if I can get it working before I think about styling.
>>>
>>> Thank you very much!
>>>
>>>
>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian(a)redhat.com>
>>> wrote:
>>>
>>>> I think we could quite easily add support for embedding the login page
>>>> to keycloak.js. Rough idea:
>>>>
>>>> 1. Set an option on keycloak.js to use embedded login form. Would also
>>>> require setting an id for a div where the form should be embedded.
>>>> 2. When clicking on login instead of redirecting it would render an
>>>> iframe element inside the configured div with the src of the iframe
being
>>>> the login page on Keycloak
>>>> 3. The redirect-uri would be a special url on Keycloak that renders a
>>>> similar page to the iframe session page that allows posting a message
>>>> back
>>>> to keycloak.js containing the code
>>>> 4. Now keycloak.js can swap the code as usual
>>>>
>>>> One thing is that we'd probably need an additional styling of the
login
>>>> form, as you would want the login page to display differently when
>>>> embedded
>>>> compared to when you redirect to it.
>>>>
>>>> ----- Original Message -----
>>>>> From: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> To: "Bill Burke" <bburke(a)redhat.com>
>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
page
>>>>>
>>>>> The cookies should be set fine, as the iframe would contain the
login
>>>> page
>>>>> directly from Keycloak.
>>>>>
>>>>> It would redirect to a special page on the app that after extracting
>>>> the code
>>>>> would close the popup.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>,
"Rodrigo Sasaki"
>>>>>> <rodrigopsasaki(a)gmail.com>
>>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
login
>>>> page
>>>>>>
>>>>>> not sure this will work with SSO. I'm not sure CORS requests
can
>>>> deal
>>>>>> with cookies.
>>>>>>
>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
>>>>>>> What about using an iframe in the popup to include the login
form
>>>> from
>>>>>>> Keycloak?
>>>>>>>
>>>>>>> You can send a HTTP POST to
>>>> /auth-server/<realm>/tokens/grants/access
>>>>>>> with
>>>>>>> client id/secret and username/password and get a token back.
With
>>>>>>> keycloak.js you can give it this token, not sure how/if this
flow
>>>> works
>>>>>>> with the server-side (Undertow) adapter.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>> Cc: "Bill Burke" <bburke(a)redhat.com>,
>>>> keycloak-user(a)lists.jboss.org
>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
using
>>>> login page
>>>>>>>>
>>>>>>>> Actually, the main problem is one of the flows where the
password
>>>>>>>> request
>>>>>>>> appears in a popup, there's no redirect at all, and
one of the
>>>> things
>>>>>>>> that
>>>>>>>> were agreed upon when decided to change the
authentication
>>>> provider, was
>>>>>>>> that nothing would be altered in the user experience.
>>>>>>>>
>>>>>>>> So I really have to try and make keycloak "fit
in" in these
>>>> particular
>>>>>>>> scenarios, they are not used as much as the ones where
we'll use
>>>> the
>>>>>>>> keycloak login page with our own style, but I do have to
make
>>>> them work.
>>>>>>>>
>>>>>>>> When you say I could use direct grant to get a token,
would that
>>>> count
>>>>>>>> as
>>>>>>>> the same as an user logging in? It's not really clear
to me right
>>>> now
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
>>>> stian(a)redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Yes, but I'm wondering why the following
won't work:
>>>>>>>>>
>>>>>>>>> 1. Ask for users email (in your app, not KC)
>>>>>>>>> 2. Once you get to the flow where a user has to
login:
>>>>>>>>> a) If user doesn't exist in KC (you can use
admin endpoints
>>>> to
>>>>>>>>> check
>>>>>>>>> this) redirect to registration page on KC with email
already
>>>> entered
>>>>>>>>> b) If user does exist in KC redirect to login
page again
>>>> with email
>>>>>>>>> already entered
>>>>>>>>> 3. Redirect back to app
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> From: "Bill Burke"
<bburke(a)redhat.com>
>>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>, "Rodrigo Sasaki" <
>>>>>>>>> rodrigopsasaki(a)gmail.com>
>>>>>>>>>> Cc: keycloak-user(a)lists.jboss.org
>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user
without using
>>>> login
>>>>>>>>>> page
>>>>>>>>>>
>>>>>>>>>> It is because their first login screen is just
something asking
>>>> for an
>>>>>>>>>> email. If the email doesn't exist as a user,
they want a
>>>> redirect to
>>>>>>>>>> the register page.
>>>>>>>>>>
>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
>>>>>>>>>>> Yes, you can use the direct grant to retrieve
a token.
>>>>>>>>>>>
>>>>>>>>>>> I'd like to know why redirecting to the
login form, when
>>>> styled to
>>>>>>>>> match
>>>>>>>>>>> your website, and using login_hint to
pre-fill username/email
>>>> doesn't
>>>>>>>>>>> work. Maybe there's something we can do
so that you can still
>>>> use the
>>>>>>>>>>> "proper" flow?
>>>>>>>>>>>
>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>>>>>>>>>>> To: "Stian Thorgersen"
<stian(a)redhat.com>
>>>>>>>>>>>> Cc: "Bill Burke"
<bburke(a)redhat.com>,
>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate
user without using
>>>> login
>>>>>>>>> page
>>>>>>>>>>>>
>>>>>>>>>>>> Sorry to keep insisting on this, but
since it's being a huge
>>>>>>>>> showstopper
>>>>>>>>>>>> so
>>>>>>>>>>>> far, I just have to ask.
>>>>>>>>>>>>
>>>>>>>>>>>> If I don't mind trading off SSO and
all the other benefits
>>>> that the
>>>>>>>>>>>> Keycloak login page provides me, would
there be a way for me
>>>> to do
>>>>>>>>> what I
>>>>>>>>>>>> want?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian
Thorgersen <
>>>> stian(a)redhat.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> We could add support for login_hint
query param so you can
>>>> have the
>>>>>>>>>>>>> username/email field on the login
form pre-filled for the
>>>> user, so
>>>>>>>>> once a
>>>>>>>>>>>>> user has to authenticate you redirect
to login on KC and all
>>>> they
>>>>>>>>> would
>>>>>>>>>>>>> have to do is enter their password.
>>>>>>>>>>>>>
>>>>>>>>>>>>> If you bypass the login forms
you'd loose SSO, multi-factor
>>>>>>>>>>>>> support,
>>>>>>>>>>>>> required actions, recover password,
etc, etc, etc..
>>>>>>>>>>>>>
>>>>>>>>>>>>> As Bill mentioned we provide very
flexible login forms that
>>>> can be
>>>>>>>>>>>>> templated using either just css or
even FreeMarker templates
>>>> if you
>>>>>>>>> need
>>>>>>>>>>>>> a
>>>>>>>>>>>>> lot of customization, so you should
be able to make the
>>>> login form
>>>>>>>>>>>>> integrate well with your website.
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>>>> From: "Rodrigo Sasaki"
<rodrigopsasaki(a)gmail.com>
>>>>>>>>>>>>>> To: "Bill Burke"
<bburke(a)redhat.com>
>>>>>>>>>>>>>> Cc:
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014
6:52:08 PM
>>>>>>>>>>>>>> Subject: Re: [keycloak-user]
Authenticate user without
>>>> using login
>>>>>>>>> page
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You think there could be a way to
do this within keycloak
>>>> itself?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM,
Rodrigo Sasaki <
>>>>>>>>>>>>> rodrigopsasaki(a)gmail.com >
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'll give you an example:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We have a situation in our
website where we only ask for the
>>>>>>>>>>>>>> user's
>>>>>>>>>>>>> e-mail,
>>>>>>>>>>>>>> and he can go on with the flow.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On a determined step of the flow,
if we identify that this
>>>> is an
>>>>>>>>> e-mail
>>>>>>>>>>>>> that
>>>>>>>>>>>>>> we already have in our user
database, we ask him for his
>>>> password,
>>>>>>>>>>>>>> authenticate him, and let him go
on, if this e-mail is new,
>>>> we
>>>>>>>>> redirect
>>>>>>>>>>>>> him
>>>>>>>>>>>>>> to a page where he can register
himself, and after that
>>>> continue
>>>>>>>>>>>>>> on.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On this specific case and others,
we wouldn't like to have
>>>> to
>>>>>>>>> redirect
>>>>>>>>>>>>> him to
>>>>>>>>>>>>>> keycloak, because that would
interrupt the flow that we
>>>> designed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM,
Bill Burke <
>>>> bburke(a)redhat.com >
>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
http://docs.jboss.org/
keycloak/docs/1.0-beta-3/
>>>>>>>>>>>>>> userguide/html/direct-access-
grants.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you have to do it this way,
please let us know why.
>>>> Maybe we
>>>>>>>>>>>>>> can
>>>>>>>>>>>>> solve the
>>>>>>>>>>>>>> issue within keycloak itself.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo
Sasaki wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Just for the sake of
conversation, if I did want to handle
>>>> my own
>>>>>>>>> login
>>>>>>>>>>>>>> page, would there be a way for me
to do it?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM,
Rodrigo Sasaki
>>>>>>>>>>>>>> < rodrigopsasaki(a)gmail.com
<mailto: rodrigopsasaki@gmail.
>>>> com >>
>>>>>>>>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I don't want to miss out on
all of that, which is why we're
>>>> mostly
>>>>>>>>>>>>>> migrating everything to use
keycloak that way.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> It's just that we have cases
that are so specific, that it
>>>> would
>>>>>>>>>>>>>> be
>>>>>>>>>>>>>> better to authenticate the user
in a different manner,
>>>> create the
>>>>>>>>>>>>>> user session and everything,
without redirecting.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'll have a look at that
code. Thanks!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM,
Bill Burke <
>>>> bburke(a)redhat.com
>>>>>>>>>>>>>> <mailto: bburke(a)redhat.com
>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you want to handle your own
login pages, IMO, you are
>>>> missing
>>>>>>>>>>>>>> out on
>>>>>>>>>>>>>> a lot of Keycloak features.
Specifically:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> * SSO
>>>>>>>>>>>>>> * forgot password
>>>>>>>>>>>>>> * admin forced credential
reset/setup
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Login pages can be styled however
you like to look like your
>>>>>>>>>>>>>> application.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> There is a REST api for obtaining
an access token. Here is
>>>> an
>>>>>>>>>>>>>> example:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
https://github.com/keycloak/
keycloak/blob/master/examples/
>>>>>>>>>>>>>> demo-template/admin-access-
app/src/main/java/org/
>>>>>>>>>>>>>> keycloak/example/AdminClient.
java
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo
Sasaki wrote:
>>>>>>>>>>>>>>> Is there a way to
authenticate the user without having to
>>>>>>>>>>>>>> input username
>>>>>>>>>>>>>>> and password on the login
page?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> For example:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Say there's a situation
in my application where I request
>>>> the
>>>>>>>>>>>>>> user for
>>>>>>>>>>>>>>> his username and password,
and I wouldn't like to redirect
>>>>>>>>>>>>>> that to the
>>>>>>>>>>>>>>> keycloak login page to
authenticate him, would there be a
>>>> way
>>>>>>>>>>>>>> for me to
>>>>>>>>>>>>>>> do that?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
______________________________ _________________
>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>>
keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>> <mailto: keycloak-user@lists.
jboss.org >
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>>>>
http://bill.burkecentral.com
>>>>>>>>>>>>>> ______________________________
_________________
>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
<mailto: keycloak-user@lists.
>>>>>>>>>
jboss.org >
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
https://lists.jboss.org/
mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>>>>
http://bill.burkecentral.com
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>> keycloak-user(a)lists.jboss.org
>>>>>>>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Bill Burke
>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>
http://bill.burkecentral.com
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Rodrigo Sasaki
>>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bill Burke
>>>>>> JBoss, a division of Red Hat
>>>>>>
http://bill.burkecentral.com
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>> --
>>> Rodrigo Sasaki
>>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
>
>
>
> --
> Rodrigo Sasaki
>