[keycloak-user] Login without Keycloak Login Page

ruiwp13 ruiwp_93 at hotmail.com
Tue Dec 20 12:00:49 EST 2016 

Bill Burke wrote
> On 12/19/16 11:32 AM, ruiwp13 wrote:
>> Bill Burke wrote
>>> I looked at the image, specifically the @Path("/login") JAX-RS method.
>>> What you are attempting will just not work.  Period.  I don't think you
>>> understand how basic servlet, JAX-RS, and HTTP works along with how Open
>>> ID Connection works.  OpenID Connect (and SAML) require browser
>>> redirects.  In looking at your code, you're expecting authenticate() to
>>> redirect the browser to keycloak, have the user login, then redirect
>>> back.  This just doesn't do what you expect.  And it shouldn't.
>>> Calling servletRequest.authenticate() sets a 302 response with a
>>> Location header pointing back to the server.   That's it...  You
>>> actually override what authenticate() did by returning a JAX-RS
>>> response.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at .jboss
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Thank you for the answer Bill,
>>
>> It does redirect me to keycloak login page and then back to my login
>> page.
>> The redirect back is managed by keycloak. It redirects back to the
>> application after login. It may have something wrong when I do the
>> authenticate(), but it does redirect me to Keycloak login page. If I knew
>> how everything worked I wasn't here asking for help eheh. I came here to
>> know what I was doing wrong or if it was a keycloak problem.
>>
>> What is the correct way to do it then?
> I'm not sure what you mean by "Login without Keycloak Login Page". Is 
> this a browser application?  If so, I strongly suggest you use our 
> adapter and Keycloak Login pages.  Login pages can be stylized however 
> you want.  You are not using our adapter as it was intended to be used 
> so we just can't help you.  You're on your own.
> 
> You can do a login without keycloak login pages, but this flow is for 
> REST clients only, not browser applications.  Use direct grant [1] to 
> obtain a token.  Here's a crude example [2]  Sorry there isn't better 
> docs on this.
> 
> [1] https://tools.ietf.org/html/rfc6749#section-4.3
> [2] 
> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java
> 
> 
> _______________________________________________
> keycloak-user mailing list

> keycloak-user at .jboss

> https://lists.jboss.org/mailman/listinfo/keycloak-user

Is there no possibility of invalidating the token or at least, set it's
expiration to "now" when the user logs out?
Now, when I logout I get the backchannel logout request from keycloak but
the token is still valid. I am able to access the secured pages even though
the session in keycloak has ended.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2067.html
Sent from the keycloak-user mailing list archive at Nabble.com.

More information about the keycloak-user mailing list