[keycloak-user] Login without Keycloak Login Page
ruiwp13
ruiwp_93 at hotmail.com
Mon Dec 19 12:28:19 EST 2016
Bill Burke wrote
> On 12/19/16 11:32 AM, ruiwp13 wrote:
>> Bill Burke wrote
>>> I looked at the image, specifically the @Path("/login") JAX-RS method.
>>> What you are attempting will just not work. Period. I don't think you
>>> understand how basic servlet, JAX-RS, and HTTP works along with how Open
>>> ID Connection works. OpenID Connect (and SAML) require browser
>>> redirects. In looking at your code, you're expecting authenticate() to
>>> redirect the browser to keycloak, have the user login, then redirect
>>> back. This just doesn't do what you expect. And it shouldn't.
>>> Calling servletRequest.authenticate() sets a 302 response with a
>>> Location header pointing back to the server. That's it... You
>>> actually override what authenticate() did by returning a JAX-RS
>>> response.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at .jboss
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Thank you for the answer Bill,
>>
>> It does redirect me to keycloak login page and then back to my login
>> page.
>> The redirect back is managed by keycloak. It redirects back to the
>> application after login. It may have something wrong when I do the
>> authenticate(), but it does redirect me to Keycloak login page. If I knew
>> how everything worked I wasn't here asking for help eheh. I came here to
>> know what I was doing wrong or if it was a keycloak problem.
>>
>> What is the correct way to do it then?
> I'm not sure what you mean by "Login without Keycloak Login Page". Is
> this a browser application? If so, I strongly suggest you use our
> adapter and Keycloak Login pages. Login pages can be stylized however
> you want. You are not using our adapter as it was intended to be used
> so we just can't help you. You're on your own.
>
> You can do a login without keycloak login pages, but this flow is for
> REST clients only, not browser applications. Use direct grant [1] to
> obtain a token. Here's a crude example [2] Sorry there isn't better
> docs on this.
>
> [1] https://tools.ietf.org/html/rfc6749#section-4.3
> [2]
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at .jboss
> https://lists.jboss.org/mailman/listinfo/keycloak-user
Thank you for your kindness Bill.
Yes, it is a browser application but I can also make the login through REST.
At first, I was making the login with direct grant flow like in [2]. But
when I logged out the token would still be active in the application
although the session had been terminated in Keycloak. So I asked in the
forum and saw a post where they said backchannel logout isn't possible with
direct_grant and I had to use the adapters. So I was trying to do the
adapter flow with the HttpServletRequest.authenticate() and logout() through
the browser and made this post.
Basically:
1. When I tried the direct grant flow, the token was not being invalidated
after logout and I was told it wouldn't be possible to invalidate the token
unless I used the adapters.
2. I am trying to do with the adapters, using a browser and redirecting to
Keycloak Login page and then back to my API and the problem that I am having
now with the adapter flow is that it says invalid_token when I logout. Maybe
in this one I am doing something wrong in login, but I am not sure what. I
don't see specificaly anywhere how to use the adapter here with the Servlet.
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2047.html
Sent from the keycloak-user mailing list archive at Nabble.com.
More information about the keycloak-user
mailing list