[keycloak-user] Login without Keycloak Login Page

ruiwp13 ruiwp_93 at hotmail.com
Wed Dec 21 03:21:44 EST 2016 

Bill Burke wrote
> On 12/20/16 12:00 PM, ruiwp13 wrote:
>> Bill Burke wrote
>>> On 12/19/16 11:32 AM, ruiwp13 wrote:
>>>> Bill Burke wrote
>>>>> I looked at the image, specifically the @Path("/login") JAX-RS method.
>>>>> What you are attempting will just not work.  Period.  I don't think
>>>>> you
>>>>> understand how basic servlet, JAX-RS, and HTTP works along with how
>>>>> Open
>>>>> ID Connection works.  OpenID Connect (and SAML) require browser
>>>>> redirects.  In looking at your code, you're expecting authenticate()
>>>>> to
>>>>> redirect the browser to keycloak, have the user login, then redirect
>>>>> back.  This just doesn't do what you expect.  And it shouldn't.
>>>>> Calling servletRequest.authenticate() sets a 302 response with a
>>>>> Location header pointing back to the server.   That's it...  You
>>>>> actually override what authenticate() did by returning a JAX-RS
>>>>> response.
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at .jboss
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> Thank you for the answer Bill,
>>>>
>>>> It does redirect me to keycloak login page and then back to my login
>>>> page.
>>>> The redirect back is managed by keycloak. It redirects back to the
>>>> application after login. It may have something wrong when I do the
>>>> authenticate(), but it does redirect me to Keycloak login page. If I
>>>> knew
>>>> how everything worked I wasn't here asking for help eheh. I came here
>>>> to
>>>> know what I was doing wrong or if it was a keycloak problem.
>>>>
>>>> What is the correct way to do it then?
>>> I'm not sure what you mean by "Login without Keycloak Login Page". Is
>>> this a browser application?  If so, I strongly suggest you use our
>>> adapter and Keycloak Login pages.  Login pages can be stylized however
>>> you want.  You are not using our adapter as it was intended to be used
>>> so we just can't help you.  You're on your own.
>>>
>>> You can do a login without keycloak login pages, but this flow is for
>>> REST clients only, not browser applications.  Use direct grant [1] to
>>> obtain a token.  Here's a crude example [2]  Sorry there isn't better
>>> docs on this.
>>>
>>> [1] https://tools.ietf.org/html/rfc6749#section-4.3
>>> [2]
>>> https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at .jboss
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Is there no possibility of invalidating the token or at least, set it's
>> expiration to "now" when the user logs out?
>> Now, when I logout I get the backchannel logout request from keycloak but
>> the token is still valid. I am able to access the secured pages even
>> though
>> the session in keycloak has ended.
> Are you still doing your *hack* approach? 
> HttpServletRequest.getSession().invalidate() might work.  Like I said 
> before, if you insist on doing things your own way and in a way that was 
> not intended for the adapter to work, there's not much we can help you
> with.
> 
> Bill
> _______________________________________________
> keycloak-user mailing list

> keycloak-user at .jboss

> https://lists.jboss.org/mailman/listinfo/keycloak-user

Hello Bill,

Well, not sure if it is an hack approach. I want to login through REST
without having to be redirected to keycloak login page because there is a
part where there will be no broswer interaction.
At the moment, I am logging in with authorization code flow through HTTP
GETs and POSTs and scrapping the login form to get the code & state. I also
send the client_session_state containing the
HttpServletRequest.getSession().getId()
To logout I am making a POST call to the logout endpoint sending the
refresh_token and the client_id and client_secret.

Is this the right way to do it?
Otherwise how am I supposed to logout without a browser, in a servlet?



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html
Sent from the keycloak-user mailing list archive at Nabble.com.

More information about the keycloak-user mailing list