[keycloak-user] Login without Keycloak Login Page

Stian Thorgersen sthorger at redhat.com
Wed Dec 21 04:09:32 EST 2016 

That's an extremely bad hack! The authorization code flow is a redirect
based flow and should not be used in this way.

Please use the real login page as recommended. Alternatively use resource
owner password grant (direct grant in Keycloak). With direct grants you can
only invalidate the refresh token, not the session or access token so you
should have a short lifespan on your access tokens.

On 21 December 2016 at 09:21, ruiwp13 <ruiwp_93 at hotmail.com> wrote:

> Bill Burke wrote
> > On 12/20/16 12:00 PM, ruiwp13 wrote:
> >> Bill Burke wrote
> >>> On 12/19/16 11:32 AM, ruiwp13 wrote:
> >>>> Bill Burke wrote
> >>>>> I looked at the image, specifically the @Path("/login") JAX-RS
> method.
> >>>>> What you are attempting will just not work.  Period.  I don't think
> >>>>> you
> >>>>> understand how basic servlet, JAX-RS, and HTTP works along with how
> >>>>> Open
> >>>>> ID Connection works.  OpenID Connect (and SAML) require browser
> >>>>> redirects.  In looking at your code, you're expecting authenticate()
> >>>>> to
> >>>>> redirect the browser to keycloak, have the user login, then redirect
> >>>>> back.  This just doesn't do what you expect.  And it shouldn't.
> >>>>> Calling servletRequest.authenticate() sets a 302 response with a
> >>>>> Location header pointing back to the server.   That's it...  You
> >>>>> actually override what authenticate() did by returning a JAX-RS
> >>>>> response.
> >>>>> _______________________________________________
> >>>>> keycloak-user mailing list
> >>>>> keycloak-user at .jboss
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> Thank you for the answer Bill,
> >>>>
> >>>> It does redirect me to keycloak login page and then back to my login
> >>>> page.
> >>>> The redirect back is managed by keycloak. It redirects back to the
> >>>> application after login. It may have something wrong when I do the
> >>>> authenticate(), but it does redirect me to Keycloak login page. If I
> >>>> knew
> >>>> how everything worked I wasn't here asking for help eheh. I came here
> >>>> to
> >>>> know what I was doing wrong or if it was a keycloak problem.
> >>>>
> >>>> What is the correct way to do it then?
> >>> I'm not sure what you mean by "Login without Keycloak Login Page". Is
> >>> this a browser application?  If so, I strongly suggest you use our
> >>> adapter and Keycloak Login pages.  Login pages can be stylized however
> >>> you want.  You are not using our adapter as it was intended to be used
> >>> so we just can't help you.  You're on your own.
> >>>
> >>> You can do a login without keycloak login pages, but this flow is for
> >>> REST clients only, not browser applications.  Use direct grant [1] to
> >>> obtain a token.  Here's a crude example [2]  Sorry there isn't better
> >>> docs on this.
> >>>
> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3
> >>> [2]
> >>> https://github.com/keycloak/keycloak/blob/master/examples/
> demo-template/admin-access-app/src/main/java/org/
> keycloak/example/AdminClient.java
> >>>
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at .jboss
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> Is there no possibility of invalidating the token or at least, set it's
> >> expiration to "now" when the user logs out?
> >> Now, when I logout I get the backchannel logout request from keycloak
> but
> >> the token is still valid. I am able to access the secured pages even
> >> though
> >> the session in keycloak has ended.
> > Are you still doing your *hack* approach?
> > HttpServletRequest.getSession().invalidate() might work.  Like I said
> > before, if you insist on doing things your own way and in a way that was
> > not intended for the adapter to work, there's not much we can help you
> > with.
> >
> > Bill
> > _______________________________________________
> > keycloak-user mailing list
>
> > keycloak-user at .jboss
>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> Hello Bill,
>
> Well, not sure if it is an hack approach. I want to login through REST
> without having to be redirected to keycloak login page because there is a
> part where there will be no broswer interaction.
> At the moment, I am logging in with authorization code flow through HTTP
> GETs and POSTs and scrapping the login form to get the code & state. I also
> send the client_session_state containing the
> HttpServletRequest.getSession().getId()
> To logout I am making a POST call to the logout endpoint sending the
> refresh_token and the client_id and client_secret.
>
> Is this the right way to do it?
> Otherwise how am I supposed to logout without a browser, in a servlet?
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list