[keycloak-user] Authenticate user without using login page
Bill Burke
bburke at redhat.com
Wed Jul 30 09:38:32 EDT 2014
OpenID Connect protocol is used to implement this?
On 7/30/2014 9:29 AM, Stian Thorgersen wrote:
> Added login_hint query param. It can be used with keycloak.js with either:
>
> keycloak.login({ loginHint: 'username' })
>
> or
>
> keycloak.createLoginUrl({ loginHint: 'username' })
>
> ----- Original Message -----
>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
>> Sent: Friday, 25 July, 2014 6:11:47 PM
>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>
>> It all worked great with the iframe, if I style it properly and use that
>> login_hint it should be perfect.
>>
>> Now how should I go about developing/using this login_hint? Are there any
>> tips on this, or is it something that you plan on including yourselves?
>>
>>
>> On Fri, Jul 25, 2014 at 1:21 PM, Rodrigo Sasaki <rodrigopsasaki at gmail.com>
>> wrote:
>>
>>> Just one more thing that wasn't completely clear to me.
>>>
>>> if I add a login page on an iframe, the user will be logged normally? Or
>>> would I have to get a token and keep managing it?
>>>
>>>
>>> On Fri, Jul 25, 2014 at 10:42 AM, Rodrigo Sasaki <rodrigopsasaki at gmail.com
>>>> wrote:
>>>
>>>> That idea actually sounds amazing, I didn't look into keycloak.js yet,
>>>> but I'll see if I can get it working before I think about styling.
>>>>
>>>> Thank you very much!
>>>>
>>>>
>>>> On Fri, Jul 25, 2014 at 10:38 AM, Stian Thorgersen <stian at redhat.com>
>>>> wrote:
>>>>
>>>>> I think we could quite easily add support for embedding the login page
>>>>> to keycloak.js. Rough idea:
>>>>>
>>>>> 1. Set an option on keycloak.js to use embedded login form. Would also
>>>>> require setting an id for a div where the form should be embedded.
>>>>> 2. When clicking on login instead of redirecting it would render an
>>>>> iframe element inside the configured div with the src of the iframe being
>>>>> the login page on Keycloak
>>>>> 3. The redirect-uri would be a special url on Keycloak that renders a
>>>>> similar page to the iframe session page that allows posting a message
>>>>> back
>>>>> to keycloak.js containing the code
>>>>> 4. Now keycloak.js can swap the code as usual
>>>>>
>>>>> One thing is that we'd probably need an additional styling of the login
>>>>> form, as you would want the login page to display differently when
>>>>> embedded
>>>>> compared to when you redirect to it.
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
>>>>>> To: "Bill Burke" <bburke at redhat.com>
>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>> Sent: Friday, 25 July, 2014 2:30:44 PM
>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login page
>>>>>>
>>>>>> The cookies should be set fine, as the iframe would contain the login
>>>>> page
>>>>>> directly from Keycloak.
>>>>>>
>>>>>> It would redirect to a special page on the app that after extracting
>>>>> the code
>>>>>> would close the popup.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki"
>>>>>>> <rodrigopsasaki at gmail.com>
>>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>>> Sent: Friday, 25 July, 2014 2:23:14 PM
>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using login
>>>>> page
>>>>>>>
>>>>>>> not sure this will work with SSO. I'm not sure CORS requests can
>>>>> deal
>>>>>>> with cookies.
>>>>>>>
>>>>>>> On 7/25/2014 9:21 AM, Stian Thorgersen wrote:
>>>>>>>> What about using an iframe in the popup to include the login form
>>>>> from
>>>>>>>> Keycloak?
>>>>>>>>
>>>>>>>> You can send a HTTP POST to
>>>>> /auth-server/<realm>/tokens/grants/access
>>>>>>>> with
>>>>>>>> client id/secret and username/password and get a token back. With
>>>>>>>> keycloak.js you can give it this token, not sure how/if this flow
>>>>> works
>>>>>>>> with the server-side (Undertow) adapter.
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> Sent: Friday, 25 July, 2014 2:08:43 PM
>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
>>>>> login page
>>>>>>>>>
>>>>>>>>> Actually, the main problem is one of the flows where the password
>>>>>>>>> request
>>>>>>>>> appears in a popup, there's no redirect at all, and one of the
>>>>> things
>>>>>>>>> that
>>>>>>>>> were agreed upon when decided to change the authentication
>>>>> provider, was
>>>>>>>>> that nothing would be altered in the user experience.
>>>>>>>>>
>>>>>>>>> So I really have to try and make keycloak "fit in" in these
>>>>> particular
>>>>>>>>> scenarios, they are not used as much as the ones where we'll use
>>>>> the
>>>>>>>>> keycloak login page with our own style, but I do have to make
>>>>> them work.
>>>>>>>>>
>>>>>>>>> When you say I could use direct grant to get a token, would that
>>>>> count
>>>>>>>>> as
>>>>>>>>> the same as an user logging in? It's not really clear to me right
>>>>> now
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Jul 25, 2014 at 9:56 AM, Stian Thorgersen <
>>>>> stian at redhat.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Yes, but I'm wondering why the following won't work:
>>>>>>>>>>
>>>>>>>>>> 1. Ask for users email (in your app, not KC)
>>>>>>>>>> 2. Once you get to the flow where a user has to login:
>>>>>>>>>> a) If user doesn't exist in KC (you can use admin endpoints
>>>>> to
>>>>>>>>>> check
>>>>>>>>>> this) redirect to registration page on KC with email already
>>>>> entered
>>>>>>>>>> b) If user does exist in KC redirect to login page again
>>>>> with email
>>>>>>>>>> already entered
>>>>>>>>>> 3. Redirect back to app
>>>>>>>>>>
>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Rodrigo Sasaki" <
>>>>>>>>>> rodrigopsasaki at gmail.com>
>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>>>>>>> Sent: Friday, 25 July, 2014 1:48:45 PM
>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
>>>>> login
>>>>>>>>>>> page
>>>>>>>>>>>
>>>>>>>>>>> It is because their first login screen is just something asking
>>>>> for an
>>>>>>>>>>> email. If the email doesn't exist as a user, they want a
>>>>> redirect to
>>>>>>>>>>> the register page.
>>>>>>>>>>>
>>>>>>>>>>> On 7/25/2014 5:08 AM, Stian Thorgersen wrote:
>>>>>>>>>>>> Yes, you can use the direct grant to retrieve a token.
>>>>>>>>>>>>
>>>>>>>>>>>> I'd like to know why redirecting to the login form, when
>>>>> styled to
>>>>>>>>>> match
>>>>>>>>>>>> your website, and using login_hint to pre-fill username/email
>>>>> doesn't
>>>>>>>>>>>> work. Maybe there's something we can do so that you can still
>>>>> use the
>>>>>>>>>>>> "proper" flow?
>>>>>>>>>>>>
>>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>>>>>>>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>>>>>>>>>> Cc: "Bill Burke" <bburke at redhat.com>,
>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>> Sent: Thursday, 24 July, 2014 6:13:17 PM
>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without using
>>>>> login
>>>>>>>>>> page
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry to keep insisting on this, but since it's being a huge
>>>>>>>>>> showstopper
>>>>>>>>>>>>> so
>>>>>>>>>>>>> far, I just have to ask.
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I don't mind trading off SSO and all the other benefits
>>>>> that the
>>>>>>>>>>>>> Keycloak login page provides me, would there be a way for me
>>>>> to do
>>>>>>>>>> what I
>>>>>>>>>>>>> want?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Fri, Jul 18, 2014 at 5:44 AM, Stian Thorgersen <
>>>>> stian at redhat.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> We could add support for login_hint query param so you can
>>>>> have the
>>>>>>>>>>>>>> username/email field on the login form pre-filled for the
>>>>> user, so
>>>>>>>>>> once a
>>>>>>>>>>>>>> user has to authenticate you redirect to login on KC and all
>>>>> they
>>>>>>>>>> would
>>>>>>>>>>>>>> have to do is enter their password.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> If you bypass the login forms you'd loose SSO, multi-factor
>>>>>>>>>>>>>> support,
>>>>>>>>>>>>>> required actions, recover password, etc, etc, etc..
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As Bill mentioned we provide very flexible login forms that
>>>>> can be
>>>>>>>>>>>>>> templated using either just css or even FreeMarker templates
>>>>> if you
>>>>>>>>>> need
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> lot of customization, so you should be able to make the
>>>>> login form
>>>>>>>>>>>>>> integrate well with your website.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>>>>> From: "Rodrigo Sasaki" <rodrigopsasaki at gmail.com>
>>>>>>>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
>>>>>>>>>>>>>>> Cc: keycloak-user at lists.jboss.org
>>>>>>>>>>>>>>> Sent: Thursday, 17 July, 2014 6:52:08 PM
>>>>>>>>>>>>>>> Subject: Re: [keycloak-user] Authenticate user without
>>>>> using login
>>>>>>>>>> page
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You think there could be a way to do this within keycloak
>>>>> itself?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:41 PM, Rodrigo Sasaki <
>>>>>>>>>>>>>> rodrigopsasaki at gmail.com >
>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'll give you an example:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We have a situation in our website where we only ask for the
>>>>>>>>>>>>>>> user's
>>>>>>>>>>>>>> e-mail,
>>>>>>>>>>>>>>> and he can go on with the flow.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On a determined step of the flow, if we identify that this
>>>>> is an
>>>>>>>>>> e-mail
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> we already have in our user database, we ask him for his
>>>>> password,
>>>>>>>>>>>>>>> authenticate him, and let him go on, if this e-mail is new,
>>>>> we
>>>>>>>>>> redirect
>>>>>>>>>>>>>> him
>>>>>>>>>>>>>>> to a page where he can register himself, and after that
>>>>> continue
>>>>>>>>>>>>>>> on.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On this specific case and others, we wouldn't like to have
>>>>> to
>>>>>>>>>> redirect
>>>>>>>>>>>>>> him to
>>>>>>>>>>>>>>> keycloak, because that would interrupt the flow that we
>>>>> designed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Wed, Jul 16, 2014 at 4:39 PM, Bill Burke <
>>>>> bburke at redhat.com >
>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://docs.jboss.org/ keycloak/docs/1.0-beta-3/
>>>>>>>>>>>>>>> userguide/html/direct-access- grants.html
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you have to do it this way, please let us know why.
>>>>> Maybe we
>>>>>>>>>>>>>>> can
>>>>>>>>>>>>>> solve the
>>>>>>>>>>>>>>> issue within keycloak itself.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 7/16/2014 3:35 PM, Rodrigo Sasaki wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Just for the sake of conversation, if I did want to handle
>>>>> my own
>>>>>>>>>> login
>>>>>>>>>>>>>>> page, would there be a way for me to do it?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:35 PM, Rodrigo Sasaki
>>>>>>>>>>>>>>> < rodrigopsasaki at gmail.com <mailto: rodrigopsasaki at gmail.
>>>>> com >>
>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I don't want to miss out on all of that, which is why we're
>>>>> mostly
>>>>>>>>>>>>>>> migrating everything to use keycloak that way.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> It's just that we have cases that are so specific, that it
>>>>> would
>>>>>>>>>>>>>>> be
>>>>>>>>>>>>>>> better to authenticate the user in a different manner,
>>>>> create the
>>>>>>>>>>>>>>> user session and everything, without redirecting.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'll have a look at that code. Thanks!
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Jul 15, 2014 at 2:19 PM, Bill Burke <
>>>>> bburke at redhat.com
>>>>>>>>>>>>>>> <mailto: bburke at redhat.com >> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you want to handle your own login pages, IMO, you are
>>>>> missing
>>>>>>>>>>>>>>> out on
>>>>>>>>>>>>>>> a lot of Keycloak features. Specifically:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> * SSO
>>>>>>>>>>>>>>> * forgot password
>>>>>>>>>>>>>>> * admin forced credential reset/setup
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Login pages can be styled however you like to look like your
>>>>>>>>>>>>>>> application.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> There is a REST api for obtaining an access token. Here is
>>>>> an
>>>>>>>>>>>>>>> example:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://github.com/keycloak/ keycloak/blob/master/examples/
>>>>>>>>>>>>>>> demo-template/admin-access- app/src/main/java/org/
>>>>>>>>>>>>>>> keycloak/example/AdminClient. java
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 7/15/2014 12:36 PM, Rodrigo Sasaki wrote:
>>>>>>>>>>>>>>>> Is there a way to authenticate the user without having to
>>>>>>>>>>>>>>> input username
>>>>>>>>>>>>>>>> and password on the login page?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> For example:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Say there's a situation in my application where I request
>>>>> the
>>>>>>>>>>>>>>> user for
>>>>>>>>>>>>>>>> his username and password, and I wouldn't like to redirect
>>>>>>>>>>>>>>> that to the
>>>>>>>>>>>>>>>> keycloak login page to authenticate him, would there be a
>>>>> way
>>>>>>>>>>>>>>> for me to
>>>>>>>>>>>>>>>> do that?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ______________________________ _________________
>>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>>>> <mailto: keycloak-user at lists. jboss.org >
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>>>>> http://bill.burkecentral.com
>>>>>>>>>>>>>>> ______________________________ _________________
>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org <mailto: keycloak-user at lists.
>>>>>>>>>> jboss.org >
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> https://lists.jboss.org/ mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Bill Burke
>>>>>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>>>>>> http://bill.burkecentral.com
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Bill Burke
>>>>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>>>> http://bill.burkecentral.com
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Rodrigo Sasaki
>>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Bill Burke
>>>>>>> JBoss, a division of Red Hat
>>>>>>> http://bill.burkecentral.com
>>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Rodrigo Sasaki
>>>>
>>>
>>>
>>>
>>> --
>>> Rodrigo Sasaki
>>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list