On 13 October 2016 at 21:46, Chris Savory <chris.savory(a)edlogics.com> wrote:
We aren’t using the Keycloak registration because our app has been
existing for a couple of years before the current Kc integration. Our
onboarding/registration process is pretty extensive and is about a 10 page
angular flow that uses XHR requests to our server to create the data.
Converting it over to using the Kc page that does a form/post would be
very difficult for us.
Sounds like you have a valid requirement for using an external registration
page. We have considered in the past to add the ability to do that, but it
was left as just an open idea.
One option would be to implement this yourself with a custom authenticator.
Once you've completed the registration process you could issue a temporary
authentication token then redirect the user to authenticate on Keycloak.
The custom authenticator could then verify this token and authenticate the
I’m curious why do you say: “You need to do the redirect based
authentication and not use direct grant if you want an SSO session.”
Is this a requirement or just a best practice?
Requirement. If you want SSO with a centralized IdP you need to use
redirect based authentication.
I ran a test with this scenario and I’m able to get a password based grant
from our admin_cli client and then go to our app with that token (app is
using a different, confidential client that is has the Spring Security KC
adapter configured) and it will not only recognize that token, but also
establish a session for me.
You will only be authenticated to the application, but not have an SSO
From: Stian Thorgersen <sthorger(a)redhat.com>
Reply-To: "stian(a)redhat.com" <stian(a)redhat.com>
Date: Thursday, October 13, 2016 at 1:11 AM
To: Chris Savory <chris.savory(a)edlogics.com>
Cc: "Mariusz Chruscielewski - Info.nl" <mariusz(a)info.nl>, "
keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>, David
Subject: Re: [keycloak-user] Login to Keycloak using API and create
You need to do the redirect based authentication and not use direct grant
if you want an SSO session.
Why are you not just using the registration form on the Keycloak server?
It can be changed to match exactly what you need?
On 10 October 2016 at 15:30, Chris Savory <chris.savory(a)edlogics.com>
I actually had a similar question for our register user workflow. We are
registering users on our site using our own custom registration form; in
this flow we use the Admin client to create the user in keycloak. Since
the user just gave us their un/pw it doesn’t make sense for us to send them
over to Keycloak to login, but rather we would like to passively log them
in either via the backend or via some ajax call.
I know I can get a token if I do something like this, but I’m not sure if
it’s going to drop all the right cookies back to the user’s browser to
consider them logged in across all the clients:
curl -d "client_id=admin-cli" -d
-d "password=password" -d "grant_type=password"
On 10/10/16, 3:23 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf of
Stian Thorgersen" <keycloak-user-bounces(a)lists.jboss.org on behalf of
By using token directly I assume you mean exchanging username/password
a token directly. I'd strongly recommend against this and it's not
something our adapters support directly.
On 4 October 2016 at 15:36, Mariusz Chruscielewski - Info.nl <
> Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after
> access protected resource we are redirected to keycloak and after
> go back to our app. After that, we can get KeycloakPrincipal object
> web context (request).
> Is there a way to create / get this object without using Tomcat
> We want to make API call (like http://keycloak/auth/realms/
> vi/protocol/openid-connect/token) and get (or create manually) this
> object using AccessTokenResponse (or any other object we can get
> Ultimate goal is to login to keycloak like adapter does, but
> Java, without any interaction from user on keycloak forms.
> Is it even possible?
> Kind Regards,
> Mariusz Chruscielewski
> keycloak-user mailing list
keycloak-user mailing list