stianst wrote
Sorry, but I just can't spend time on figuring out what's
going wrong when
you are doing something bad.
On 21 December 2016 at 10:24, ruiwp13 <
ruiwp_93@
> > wrote:
>
>> stianst wrote
>> > That's an extremely bad hack! The authorization code flow is a redirect
>> > based flow and should not be used in this way.
>> >
>> > Please use the real login page as recommended. Alternatively use
>> resource
>> > owner password grant (direct grant in Keycloak). With direct grants you
>> > can
>> > only invalidate the refresh token, not the session or access token so
>> you
>> > should have a short lifespan on your access tokens.
>> >
>> > On 21 December 2016 at 09:21, ruiwp13 <
>>
>>
ruiwp_93@
>>
>> > > wrote:
>> >
>> >> Bill Burke wrote
>> >> > On 12/20/16 12:00 PM, ruiwp13 wrote:
>> >> >> Bill Burke wrote
>> >> >>> On 12/19/16 11:32 AM, ruiwp13 wrote:
>> >> >>>> Bill Burke wrote
>> >> >>>>> I looked at the image, specifically the
@Path("/login") JAX-RS
>> >> method.
>> >> >>>>> What you are attempting will just not work.
Period. I don't
>> think
>> >> >>>>> you
>> >> >>>>> understand how basic servlet, JAX-RS, and HTTP
works along with
>> how
>> >> >>>>> Open
>> >> >>>>> ID Connection works. OpenID Connect (and SAML)
require browser
>> >> >>>>> redirects. In looking at your code, you're
expecting
>> >> authenticate()
>> >> >>>>> to
>> >> >>>>> redirect the browser to keycloak, have the user
login, then
>> >> redirect
>> >> >>>>> back. This just doesn't do what you expect.
And it shouldn't.
>> >> >>>>> Calling servletRequest.authenticate() sets a 302
response with a
>> >> >>>>> Location header pointing back to the server.
That's it... You
>> >> >>>>> actually override what authenticate() did by
returning a JAX-RS
>> >> >>>>> response.
>> >> >>>>> _______________________________________________
>> >> >>>>> keycloak-user mailing list
>> >> >>>>
keycloak-user@.jboss
>>
>> >>>>
>> >>
>>>> Thank you for the answer Bill,
>> >> >>>>
>> >> >>>> It does redirect me to keycloak login page and then
back to my
>> login
>> >> >>>> page.
>> >> >>>> The redirect back is managed by keycloak. It redirects
back to
>> the
>> >> >>>> application after login. It may have something wrong
when I do
>> the
>> >> >>>> authenticate(), but it does redirect me to Keycloak
login page.
>> If
>> I
>> >> >>>> knew
>> >> >>>> how everything worked I wasn't here asking for help
eheh. I came
>> >> here
>> >> >>>> to
>> >> >>>> know what I was doing wrong or if it was a keycloak
problem.
>> >> >>>>
>> >> >>>> What is the correct way to do it then?
>> >> >>> I'm not sure what you mean by "Login without
Keycloak Login Page".
>> Is
>> >> >>> this a browser application? If so, I strongly suggest you
use our
>> >> >>> adapter and Keycloak Login pages. Login pages can be
stylized
>> >> however
>> >> >>> you want. You are not using our adapter as it was intended
to be
>> >> used
>> >> >>> so we just can't help you. You're on your own.
>> >> >>>
>> >> >>> You can do a login without keycloak login pages, but this
flow is
>> for
>> >> >>> REST clients only, not browser applications. Use direct
grant [1]
>> to
>> >> >>> obtain a token. Here's a crude example [2] Sorry
there isn't
>> better
>> >> >>> docs on this.
>> >> >>>
>> >> >>> [1]
https://tools.ietf.org/html/rfc6749#section-4.3
>> >> >>> [2]
>> >> >>>
https://github.com/keycloak/keycloak/blob/master/examples/
>> >> demo-template/admin-access-app/src/main/java/org/
>> >> keycloak/example/AdminClient.java
>> >> >>>
>> >> >>>
>> >> >>> _______________________________________________
>> >> >>> keycloak-user mailing list
>> >> >>
keycloak-user@.jboss
>>
>> >>
>> >> >> Is
there no possibility of invalidating the token or at least, set
>> >> it's
>> >> >> expiration to "now" when the user logs out?
>> >> >> Now, when I logout I get the backchannel logout request from
>> keycloak
>> >> but
>> >> >> the token is still valid. I am able to access the secured
pages
>> even
>> >> >> though
>> >> >> the session in keycloak has ended.
>> >> > Are you still doing your *hack* approach?
>> >> > HttpServletRequest.getSession().invalidate() might work. Like I
>> said
>> >> > before, if you insist on doing things your own way and in a way
that
>> >> was
>> >> > not intended for the adapter to work, there's not much we can
help
>> you
>> >> > with.
>> >> >
>> >> > Bill
>> >> > _______________________________________________
>> >> > keycloak-user mailing list
>> >>
>> >>
keycloak-user@.jboss
>>
>>
>> >>
>> >>
>> >> Hello Bill,
>> >>
>> >> Well, not sure if it is an hack approach. I want to login through REST
>> >> without having to be redirected to keycloak login page because there
>> is
>> a
>> >> part where there will be no broswer interaction.
>> >> At the moment, I am logging in with authorization code flow through
>> HTTP
>> >> GETs and POSTs and scrapping the login form to get the code & state.
I
>> >> also
>> >> send the client_session_state containing the
>> >> HttpServletRequest.getSession().getId()
>> >> To logout I am making a POST call to the logout endpoint sending the
>> >> refresh_token and the client_id and client_secret.
>> >>
>> >> Is this the right way to do it?
>> >> Otherwise how am I supposed to logout without a browser, in a servlet?
>> >>
>> >>
>> >>
>> >> --
>> >> View this message in context:
http://keycloak-user.88327.x6.
>> >>
nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html
>> >> Sent from the keycloak-user mailing list archive at
Nabble.com.
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >>
>>
>>
keycloak-user@.jboss
>>
>> >
>> >>
>> > _______________________________________________
>> > keycloak-user mailing list
>>
>>
keycloak-user@.jboss
>>
>>
>>
>> OK, thank you.
>>
>> Well stianst, it is a bad hack but I am getting the callback from
>> keycloak
>> to my server. I receive the {Admin URL}/k_logout call. Why doesn't it
>> invalidate the token as well? When I tried the browser redirect login it
>> did
>> logged me out of the app and I had to login again in browser to access
>> secured pages but I still could use the token anyway. The token was not
>> invalidated.
>>
>>
>>
>> --
>> View this message in context:
http://keycloak-user.88327.x6.
>>
nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html
>> Sent from the keycloak-user mailing list archive at
Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>>
keycloak-user@.jboss
>
_______________________________________________
keycloak-user mailing list
keycloak-user@.jboss
I'm sorry, but before this "hack" I used the adapter correctly with the
browser redirect and the token wasn't invalidated. That is what I am saying.
The browser session ended, the cookies and JSESSION were cleaned and I had
to login again to access secure pages. But if I copied the token to POSTMAN
and made a request I was able to access secure pages through REST anyway.
--
View this message in context:
http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Pag...
Sent from the keycloak-user mailing list archive at
Nabble.com.