[keycloak-user] Authenticate user without using login page
Rodrigo Sasaki
rodrigopsasaki at gmail.com
Wed Jul 30 09:35:48 EDT 2014
Oh, great to hear :)
Thank you very much!
On Wed, Jul 30, 2014 at 10:29 AM, Stian Thorgersen <stian at redhat.com> wrote:
> Added login_hint query param. It can be used with keycloak.js with either:
>
> keycloak.login({ loginHint: 'username' })
>
> or
>
> keycloak.createLoginUrl({ loginHint: 'username' })
>
> ----- Original Message -----
> > From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> > Sent: Friday, 25 July, 2014 6:11:47 PM
> > Subject: Re: [keycloak-user] Authenticate user without using login page
> >
> > It all worked great with the iframe, if I style it properly and use that
> > login_hint it should be perfect.
> >
> > Now how should I go about developing/using this login_hint? Are there any
> > tips on this, or is it something that you plan on including yourselves?
> >
> >
> > On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <
> rodrigopsasaki at gmail.com>
> > wrote:
> >
> > > Just one more thing that wasn't completely clear to me.
> > >
> > > if I add a login page on an iframe, the user will be logged normally?
> Or
> > > would I have to get a token and keep managing it?
> > >
> > >
> > > On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki <
> rodrigopsasaki at gmail.com
> > > > wrote:
> > >
> > >> That idea actually sounds amazing, I didn't look into keycloak.js yet,
> > >> but I'll see if I can get it working before I think about styling.
> > >>
> > >> Thank you very much!
> > >>
> > >>
> > >> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian at redhat.com>
> > >> wrote:
> > >>
> > >>> I think we could quite easily add support for embedding the login
> page
> > >>> to keycloak.js. Rough idea:
> > >>>
> > >>> 1. Set an option on keycloak.js to use embedded login form. Would
> also
> > >>> require setting an id for a div where the form should be embedded.
> > >>> 2. When clicking on login instead of redirecting it would render an
> > >>> iframe element inside the configured div with the src of the iframe
> being
> > >>> the login page on Keycloak
> > >>> 3. The redirect-uri would be a special url on Keycloak that renders a
> > >>> similar page to the iframe session page that allows posting a message
> > >>> back
> > >>> to keycloak.js containing the code
> > >>> 4. Now keycloak.js can swap the code as usual
> > >>>
> > >>> One thing is that we'd probably need an additional styling of the
> login
> > >>> form, as you would want the login page to display differently when
> > >>> embedded
> > >>> compared to when you redirect to it.
> > >>>
> > >>> ----- Original Message -----
> > >>> > From: "Stian Thorgersen" <stian at redhat.com>
> > >>> > To: "Bill Burke" <bburke at redhat.com>
> > >>> > Cc: keycloak-user at lists.jboss.org
> > >>> > Sent: Friday, 25 July, 2014 2:30:44 PM
> > >>> > Subject: Re: [keycloak-user] Authenticate user without using login
> page
> > >>> >
> > >>> > The cookies should be set fine, as the iframe would contain the
> login
> > >>> page
> > >>> > directly from Keycloak.
> > >>> >
> > >>> > It would redirect to a special page on the app that after
> extracting
> > >>> the code
> > >>> > would close the popup.
> > >>> >
> > >>> > ----- Original Message -----
> > >>> > > From: "Bill Burke" <bburke at redhat.com>
> > >>> > > To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki"
> > >>> > > <rodrigopsasaki at gmail.com>
> > >>> > > Cc: keycloak-user at lists.jboss.org
> > >>> > > Sent: Friday, 25 July, 2014 2:23:14 PM
> > >>> > > Subject: Re: [keycloak-user] Authenticate user without using
> login
> > >>> page
> > >>> > >
> > >>> > > not sure this will work with SSO. I'm not sure CORS requests can
> > >>> deal
> > >>> > > with cookies.
> > >>> > >
> > >>> > > On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
> > >>> > > > What about using an iframe in the popup to include the login
> form
> > >>> from
> > >>> > > > Keycloak?
> > >>> > > >
> > >>> > > > You can send a HTTP POST to
> > >>> /auth-server/<realm>/tokens/grants/access
> > >>> > > > with
> > >>> > > > client id/secret and username/password and get a token back.
> With
> > >>> > > > keycloak.js you can give it this token, not sure how/if this
> flow
> > >>> works
> > >>> > > > with the server-side (Undertow) adapter.
> > >>> > > >
> > >>> > > > ----- Original Message -----
> > >>> > > >> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > >>> > > >> To: "Stian Thorgersen" <stian at redhat.com>
> > >>> > > >> Cc: "Bill Burke" <bburke at redhat.com>,
> > >>> keycloak-user at lists.jboss.org
> > >>> > > >> Sent: Friday, 25 July, 2014 2:08:43 PM
> > >>> > > >> Subject: Re: [keycloak-user] Authenticate user without using
> > >>> login page
> > >>> > > >>
> > >>> > > >> Actually, the main problem is one of the flows where the
> password
> > >>> > > >> request
> > >>> > > >> appears in a popup, there's no redirect at all, and one of the
> > >>> things
> > >>> > > >> that
> > >>> > > >> were agreed upon when decided to change the authentication
> > >>> provider, was
> > >>> > > >> that nothing would be altered in the user experience.
> > >>> > > >>
> > >>> > > >> So I really have to try and make keycloak "fit in" in these
> > >>> particular
> > >>> > > >> scenarios, they are not used as much as the ones where we'll
> use
> > >>> the
> > >>> > > >> keycloak login page with our own style, but I do have to make
> > >>> them work.
> > >>> > > >>
> > >>> > > >> When you say I could use direct grant to get a token, would
> that
> > >>> count
> > >>> > > >> as
> > >>> > > >> the same as an user logging in? It's not really clear to me
> right
> > >>> now
> > >>> > > >>
> > >>> > > >>
> > >>> > > >> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
> > >>> stian at redhat.com>
> > >>> > > >> wrote:
> > >>> > > >>
> > >>> > > >>> Yes, but I'm wondering why the following won't work:
> > >>> > > >>>
> > >>> > > >>> 1. Ask for users email (in your app, not KC)
> > >>> > > >>> 2. Once you get to the flow where a user has to login:
> > >>> > > >>> a) If user doesn't exist in KC (you can use admin
> endpoints
> > >>> to
> > >>> > > >>> check
> > >>> > > >>> this) redirect to registration page on KC with email already
> > >>> entered
> > >>> > > >>> b) If user does exist in KC redirect to login page again
> > >>> with email
> > >>> > > >>> already entered
> > >>> > > >>> 3. Redirect back to app
> > >>> > > >>>
> > >>> > > >>> ----- Original Message -----
> > >>> > > >>>> From: "Bill Burke" <bburke at redhat.com>
> > >>> > > >>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo
> Sasaki" <
> > >>> > > >>> rodrigopsasaki at gmail.com>
> > >>> > > >>>> Cc: keycloak-user at lists.jboss.org
> > >>> > > >>>> Sent: Friday, 25 July, 2014 1:48:45 PM
> > >>> > > >>>> Subject: Re: [keycloak-user] Authenticate user without using
> > >>> login
> > >>> > > >>>> page
> > >>> > > >>>>
> > >>> > > >>>> It is because their first login screen is just something
> asking
> > >>> for an
> > >>> > > >>>> email. If the email doesn't exist as a user, they want a
> > >>> redirect to
> > >>> > > >>>> the register page.
> > >>> > > >>>>
> > >>> > > >>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
> > >>> > > >>>>> Yes, you can use the direct grant to retrieve a token.
> > >>> > > >>>>>
> > >>> > > >>>>> I'd like to know why redirecting to the login form, when
> > >>> styled to
> > >>> > > >>> match
> > >>> > > >>>>> your website, and using login_hint to pre-fill
> username/email
> > >>> doesn't
> > >>> > > >>>>> work. Maybe there's something we can do so that you can
> still
> > >>> use the
> > >>> > > >>>>> "proper" flow?
> > >>> > > >>>>>
> > >>> > > >>>>> ----- Original Message -----
> > >>> > > >>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > >>> > > >>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>> > > >>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
> > >>> keycloak-user at lists.jboss.org
> > >>> > > >>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
> > >>> > > >>>>>> Subject: Re: [keycloak-user] Authenticate user without
> using
> > >>> login
> > >>> > > >>> page
> > >>> > > >>>>>>
> > >>> > > >>>>>> Sorry to keep insisting on this, but since it's being a
> huge
> > >>> > > >>> showstopper
> > >>> > > >>>>>> so
> > >>> > > >>>>>> far, I just have to ask.
> > >>> > > >>>>>>
> > >>> > > >>>>>> If I don't mind trading off SSO and all the other benefits
> > >>> that the
> > >>> > > >>>>>> Keycloak login page provides me, would there be a way for
> me
> > >>> to do
> > >>> > > >>> what I
> > >>> > > >>>>>> want?
> > >>> > > >>>>>>
> > >>> > > >>>>>>
> > >>> > > >>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
> > >>> stian at redhat.com>
> > >>> > > >>>>>> wrote:
> > >>> > > >>>>>>
> > >>> > > >>>>>>> We could add support for login_hint query param so you
> can
> > >>> have the
> > >>> > > >>>>>>> username/email field on the login form pre-filled for the
> > >>> user, so
> > >>> > > >>> once a
> > >>> > > >>>>>>> user has to authenticate you redirect to login on KC and
> all
> > >>> they
> > >>> > > >>> would
> > >>> > > >>>>>>> have to do is enter their password.
> > >>> > > >>>>>>>
> > >>> > > >>>>>>> If you bypass the login forms you'd loose SSO,
> multi-factor
> > >>> > > >>>>>>> support,
> > >>> > > >>>>>>> required actions, recover password, etc, etc, etc..
> > >>> > > >>>>>>>
> > >>> > > >>>>>>> As Bill mentioned we provide very flexible login forms
> that
> > >>> can be
> > >>> > > >>>>>>> templated using either just css or even FreeMarker
> templates
> > >>> if you
> > >>> > > >>> need
> > >>> > > >>>>>>> a
> > >>> > > >>>>>>> lot of customization, so you should be able to make the
> > >>> login form
> > >>> > > >>>>>>> integrate well with your website.
> > >>> > > >>>>>>>
> > >>> > > >>>>>>> ----- Original Message -----
> > >>> > > >>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
> > >>> > > >>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > >>> > > >>>>>>>> Cc: keycloak-user at lists.jboss.org
> > >>> > > >>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
> > >>> > > >>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
> > >>> using login
> > >>> > > >>> page
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> You think there could be a way to do this within
> keycloak
> > >>> itself?
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
> > >>> > > >>>>>>> rodrigopsasaki at gmail.com >
> > >>> > > >>>>>>>> wrote:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> I'll give you an example:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> We have a situation in our website where we only ask
> for the
> > >>> > > >>>>>>>> user's
> > >>> > > >>>>>>> e-mail,
> > >>> > > >>>>>>>> and he can go on with the flow.
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On a determined step of the flow, if we identify that
> this
> > >>> is an
> > >>> > > >>> e-mail
> > >>> > > >>>>>>> that
> > >>> > > >>>>>>>> we already have in our user database, we ask him for his
> > >>> password,
> > >>> > > >>>>>>>> authenticate him, and let him go on, if this e-mail is
> new,
> > >>> we
> > >>> > > >>> redirect
> > >>> > > >>>>>>> him
> > >>> > > >>>>>>>> to a page where he can register himself, and after that
> > >>> continue
> > >>> > > >>>>>>>> on.
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On this specific case and others, we wouldn't like to
> have
> > >>> to
> > >>> > > >>> redirect
> > >>> > > >>>>>>> him to
> > >>> > > >>>>>>>> keycloak, because that would interrupt the flow that we
> > >>> designed.
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
> > >>> bburke at redhat.com >
> > >>> > > >>> wrote:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
> > >>> > > >>>>>>>> userguide/html/direct-access- grants.html
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> If you have to do it this way, please let us know why.
> > >>> Maybe we
> > >>> > > >>>>>>>> can
> > >>> > > >>>>>>> solve the
> > >>> > > >>>>>>>> issue within keycloak itself.
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> Just for the sake of conversation, if I did want to
> handle
> > >>> my own
> > >>> > > >>> login
> > >>> > > >>>>>>>> page, would there be a way for me to do it?
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
> > >>> > > >>>>>>>> < rodrigopsasaki at gmail.com <mailto:
> rodrigopsasaki at gmail.
> > >>> com >>
> > >>> > > >>> wrote:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> I don't want to miss out on all of that, which is why
> we're
> > >>> mostly
> > >>> > > >>>>>>>> migrating everything to use keycloak that way.
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> It's just that we have cases that are so specific, that
> it
> > >>> would
> > >>> > > >>>>>>>> be
> > >>> > > >>>>>>>> better to authenticate the user in a different manner,
> > >>> create the
> > >>> > > >>>>>>>> user session and everything, without redirecting.
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> I'll have a look at that code. Thanks!
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
> > >>> bburke at redhat.com
> > >>> > > >>>>>>>> <mailto: bburke at redhat.com >> wrote:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> If you want to handle your own login pages, IMO, you are
> > >>> missing
> > >>> > > >>>>>>>> out on
> > >>> > > >>>>>>>> a lot of Keycloak features. Specifically:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> * SSO
> > >>> > > >>>>>>>> * forgot password
> > >>> > > >>>>>>>> * admin forced credential reset/setup
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> Login pages can be styled however you like to look like
> your
> > >>> > > >>>>>>>> application.
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> There is a REST api for obtaining an access token. Here
> is
> > >>> an
> > >>> > > >>>>>>>> example:
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> https://github.com/keycloak/
> keycloak/blob/master/examples/
> > >>> > > >>>>>>>> demo-template/admin-access- app/src/main/java/org/
> > >>> > > >>>>>>>> keycloak/example/AdminClient. java
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
> > >>> > > >>>>>>>>> Is there a way to authenticate the user without having
> to
> > >>> > > >>>>>>>> input username
> > >>> > > >>>>>>>>> and password on the login page?
> > >>> > > >>>>>>>>>
> > >>> > > >>>>>>>>> For example:
> > >>> > > >>>>>>>>>
> > >>> > > >>>>>>>>> Say there's a situation in my application where I
> request
> > >>> the
> > >>> > > >>>>>>>> user for
> > >>> > > >>>>>>>>> his username and password, and I wouldn't like to
> redirect
> > >>> > > >>>>>>>> that to the
> > >>> > > >>>>>>>>> keycloak login page to authenticate him, would there
> be a
> > >>> way
> > >>> > > >>>>>>>> for me to
> > >>> > > >>>>>>>>> do that?
> > >>> > > >>>>>>>>>
> > >>> > > >>>>>>>>> --
> > >>> > > >>>>>>>>> Rodrigo Sasaki
> > >>> > > >>>>>>>>>
> > >>> > > >>>>>>>>>
> > >>> > > >>>>>>>>> ______________________________ _________________
> > >>> > > >>>>>>>>> keycloak-user mailing list
> > >>> > > >>>>>>>>> keycloak-user at lists.jboss.org
> > >>> > > >>>>>>>> <mailto: keycloak-user at lists. jboss.org >
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>> https://lists.jboss.org/
> mailman/listinfo/keycloak-user
> > >>> > > >>>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> --
> > >>> > > >>>>>>>> Bill Burke
> > >>> > > >>>>>>>> JBoss, a division of Red Hat
> > >>> > > >>>>>>>> http://bill.burkecentral.com
> > >>> > > >>>>>>>> ______________________________ _________________
> > >>> > > >>>>>>>> keycloak-user mailing list
> > >>> > > >>>>>>>> keycloak-user at lists.jboss.org <mailto:
> keycloak-user at lists.
> > >>> > > >>> jboss.org >
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> --
> > >>> > > >>>>>>>> Rodrigo Sasaki
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> --
> > >>> > > >>>>>>>> Rodrigo Sasaki
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> --
> > >>> > > >>>>>>>> Bill Burke
> > >>> > > >>>>>>>> JBoss, a division of Red Hat
> > >>> > > >>>>>>>> http://bill.burkecentral.com
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> --
> > >>> > > >>>>>>>> Rodrigo Sasaki
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> --
> > >>> > > >>>>>>>> Rodrigo Sasaki
> > >>> > > >>>>>>>>
> > >>> > > >>>>>>>> _______________________________________________
> > >>> > > >>>>>>>> keycloak-user mailing list
> > >>> > > >>>>>>>> keycloak-user at lists.jboss.org
> > >>> > > >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>> > > >>>>>>>
> > >>> > > >>>>>>
> > >>> > > >>>>>>
> > >>> > > >>>>>>
> > >>> > > >>>>>> --
> > >>> > > >>>>>> Rodrigo Sasaki
> > >>> > > >>>>>>
> > >>> > > >>>>
> > >>> > > >>>> --
> > >>> > > >>>> Bill Burke
> > >>> > > >>>> JBoss, a division of Red Hat
> > >>> > > >>>> http://bill.burkecentral.com
> > >>> > > >>>>
> > >>> > > >>>
> > >>> > > >>
> > >>> > > >>
> > >>> > > >>
> > >>> > > >> --
> > >>> > > >> Rodrigo Sasaki
> > >>> > > >>
> > >>> > >
> > >>> > > --
> > >>> > > Bill Burke
> > >>> > > JBoss, a division of Red Hat
> > >>> > > http://bill.burkecentral.com
> > >>> > >
> > >>> > _______________________________________________
> > >>> > keycloak-user mailing list
> > >>> > keycloak-user at lists.jboss.org
> > >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>> >
> > >>> _______________________________________________
> > >>> keycloak-user mailing list
> > >>> keycloak-user at lists.jboss.org
> > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>
> > >>
> > >>
> > >>
> > >> --
> > >> Rodrigo Sasaki
> > >>
> > >
> > >
> > >
> > > --
> > > Rodrigo Sasaki
> > >
> >
> >
> >
> > --
> > Rodrigo Sasaki
> >
>
--
Rodrigo Sasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140730/ea3c3366/attachment-0001.html
More information about the keycloak-user
mailing list