[keycloak-user] Login without Keycloak Login Page
Bill Burke
bburke at redhat.com
Tue Dec 20 13:29:07 EST 2016
On 12/20/16 12:00 PM, ruiwp13 wrote:
> Bill Burke wrote
>> On 12/19/16 11:32 AM, ruiwp13 wrote:
>>> Bill Burke wrote
>>>> I looked at the image, specifically the @Path("/login") JAX-RS method.
>>>> What you are attempting will just not work. Period. I don't think you
>>>> understand how basic servlet, JAX-RS, and HTTP works along with how Open
>>>> ID Connection works. OpenID Connect (and SAML) require browser
>>>> redirects. In looking at your code, you're expecting authenticate() to
>>>> redirect the browser to keycloak, have the user login, then redirect
>>>> back. This just doesn't do what you expect. And it shouldn't.
>>>> Calling servletRequest.authenticate() sets a 302 response with a
>>>> Location header pointing back to the server. That's it... You
>>>> actually override what authenticate() did by returning a JAX-RS
>>>> response.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at .jboss
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Thank you for the answer Bill,
>>>
>>> It does redirect me to keycloak login page and then back to my login
>>> page.
>>> The redirect back is managed by keycloak. It redirects back to the
>>> application after login. It may have something wrong when I do the
>>> authenticate(), but it does redirect me to Keycloak login page. If I knew
>>> how everything worked I wasn't here asking for help eheh. I came here to
>>> know what I was doing wrong or if it was a keycloak problem.
>>>
>>> What is the correct way to do it then?
>> I'm not sure what you mean by "Login without Keycloak Login Page". Is
>> this a browser application? If so, I strongly suggest you use our
>> adapter and Keycloak Login pages. Login pages can be stylized however
>> you want. You are not using our adapter as it was intended to be used
>> so we just can't help you. You're on your own.
>>
>> You can do a login without keycloak login pages, but this flow is for
>> REST clients only, not browser applications. Use direct grant [1] to
>> obtain a token. Here's a crude example [2] Sorry there isn't better
>> docs on this.
>>
>> [1] https://tools.ietf.org/html/rfc6749#section-4.3
>> [2]
>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at .jboss
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Is there no possibility of invalidating the token or at least, set it's
> expiration to "now" when the user logs out?
> Now, when I logout I get the backchannel logout request from keycloak but
> the token is still valid. I am able to access the secured pages even though
> the session in keycloak has ended.
Are you still doing your *hack* approach?
HttpServletRequest.getSession().invalidate() might work. Like I said
before, if you insist on doing things your own way and in a way that was
not intended for the adapter to work, there's not much we can help you with.
Bill
More information about the keycloak-user
mailing list