4:47 p.m.
As everyone is probably painfully aware from all of my questions, we are in
the midst of replacing our proprietary login flow with a Keycloak
OpenID-based flow. The eventual goal is to use the standard Keycloak login
pages to allow for extra factors of authentication such as Google
Authenticator.
One option that we've allowed until now is for customers to host custom
login HTML forms (just username and password) on their sites. This is
something that we are (most likely) going to remove support for in the long
run, but in the short term, I think we are going to need to support this if
only to allow for a transition period. The login flow is:
Customer Site (HTML form) ->
Login Handler (JEE Session) ->
Redirect browser to SPA along with JSESSIONID
All API calls use JEE sessions for "authentication". What I'm hoping to do
somehow in the short term is:
Customer Site (HTML form) ->
Login Handler ->
Keycloak ->
Redirect browser to SPA with OAuth codes/tokens
What is the best/correct way to do something like this? Should I be using
the authorization code grant in this case?
Thanks for any insights.
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
2:24 a.m.
I think you can achieve this with OAuth2 Resource Owner Password
Credentials Grant (In Keycloak, it is referred to as Direct Grant flow).
As you pointed, it will be good to have this just really as temporary
solution for legacy purposes as this approach has quite a lot of
limitations in compare to have the login form properly shown on Keycloak
side (EG. missing social logins, Registration, "Forget password"
functionality etc).
Marek
On 25/11/2018 23:47, Craig Setera wrote:
As everyone is probably painfully aware from all of my questions, we
are in
the midst of replacing our proprietary login flow with a Keycloak
OpenID-based flow. The eventual goal is to use the standard Keycloak login
pages to allow for extra factors of authentication such as Google
Authenticator.
One option that we've allowed until now is for customers to host custom
login HTML forms (just username and password) on their sites. This is
something that we are (most likely) going to remove support for in the long
run, but in the short term, I think we are going to need to support this if
only to allow for a transition period. The login flow is:
Customer Site (HTML form) ->
Login Handler (JEE Session) ->
Redirect browser to SPA along with JSESSIONID
All API calls use JEE sessions for "authentication". What I'm hoping to
do
somehow in the short term is:
Customer Site (HTML form) ->
Login Handler ->
Keycloak ->
Redirect browser to SPA with OAuth codes/tokens
What is the best/correct way to do something like this? Should I be using
the authorization code grant in this case?
Thanks for any insights.
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2199
days inactive
2209
days old
1 comments
2 participants
participants (2)
-
Craig Setera -
Marek Posolda