[keycloak-user] Login without Keycloak Login Page

Stian Thorgersen sthorger at redhat.com
Wed Dec 21 04:38:57 EST 2016


Sorry, but I just can't spend time on figuring out what's going wrong when
you are doing something bad.

On 21 December 2016 at 10:24, ruiwp13 <ruiwp_93 at hotmail.com> wrote:

> stianst wrote
> > That's an extremely bad hack! The authorization code flow is a redirect
> > based flow and should not be used in this way.
> >
> > Please use the real login page as recommended. Alternatively use resource
> > owner password grant (direct grant in Keycloak). With direct grants you
> > can
> > only invalidate the refresh token, not the session or access token so you
> > should have a short lifespan on your access tokens.
> >
> > On 21 December 2016 at 09:21, ruiwp13 <
>
> > ruiwp_93@
>
> > > wrote:
> >
> >> Bill Burke wrote
> >> > On 12/20/16 12:00 PM, ruiwp13 wrote:
> >> >> Bill Burke wrote
> >> >>> On 12/19/16 11:32 AM, ruiwp13 wrote:
> >> >>>> Bill Burke wrote
> >> >>>>> I looked at the image, specifically the @Path("/login") JAX-RS
> >> method.
> >> >>>>> What you are attempting will just not work.  Period.  I don't
> think
> >> >>>>> you
> >> >>>>> understand how basic servlet, JAX-RS, and HTTP works along with
> how
> >> >>>>> Open
> >> >>>>> ID Connection works.  OpenID Connect (and SAML) require browser
> >> >>>>> redirects.  In looking at your code, you're expecting
> >> authenticate()
> >> >>>>> to
> >> >>>>> redirect the browser to keycloak, have the user login, then
> >> redirect
> >> >>>>> back.  This just doesn't do what you expect.  And it shouldn't.
> >> >>>>> Calling servletRequest.authenticate() sets a 302 response with a
> >> >>>>> Location header pointing back to the server.   That's it...  You
> >> >>>>> actually override what authenticate() did by returning a JAX-RS
> >> >>>>> response.
> >> >>>>> _______________________________________________
> >> >>>>> keycloak-user mailing list
> >> >>>>> keycloak-user at .jboss
> >> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >>>> Thank you for the answer Bill,
> >> >>>>
> >> >>>> It does redirect me to keycloak login page and then back to my
> login
> >> >>>> page.
> >> >>>> The redirect back is managed by keycloak. It redirects back to the
> >> >>>> application after login. It may have something wrong when I do the
> >> >>>> authenticate(), but it does redirect me to Keycloak login page. If
> I
> >> >>>> knew
> >> >>>> how everything worked I wasn't here asking for help eheh. I came
> >> here
> >> >>>> to
> >> >>>> know what I was doing wrong or if it was a keycloak problem.
> >> >>>>
> >> >>>> What is the correct way to do it then?
> >> >>> I'm not sure what you mean by "Login without Keycloak Login Page".
> Is
> >> >>> this a browser application?  If so, I strongly suggest you use our
> >> >>> adapter and Keycloak Login pages.  Login pages can be stylized
> >> however
> >> >>> you want.  You are not using our adapter as it was intended to be
> >> used
> >> >>> so we just can't help you.  You're on your own.
> >> >>>
> >> >>> You can do a login without keycloak login pages, but this flow is
> for
> >> >>> REST clients only, not browser applications.  Use direct grant [1]
> to
> >> >>> obtain a token.  Here's a crude example [2]  Sorry there isn't
> better
> >> >>> docs on this.
> >> >>>
> >> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3
> >> >>> [2]
> >> >>> https://github.com/keycloak/keycloak/blob/master/examples/
> >> demo-template/admin-access-app/src/main/java/org/
> >> keycloak/example/AdminClient.java
> >> >>>
> >> >>>
> >> >>> _______________________________________________
> >> >>> keycloak-user mailing list
> >> >>> keycloak-user at .jboss
> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >> Is there no possibility of invalidating the token or at least, set
> >> it's
> >> >> expiration to "now" when the user logs out?
> >> >> Now, when I logout I get the backchannel logout request from keycloak
> >> but
> >> >> the token is still valid. I am able to access the secured pages even
> >> >> though
> >> >> the session in keycloak has ended.
> >> > Are you still doing your *hack* approach?
> >> > HttpServletRequest.getSession().invalidate() might work.  Like I said
> >> > before, if you insist on doing things your own way and in a way that
> >> was
> >> > not intended for the adapter to work, there's not much we can help you
> >> > with.
> >> >
> >> > Bill
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >>
> >> > keycloak-user at .jboss
> >>
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> Hello Bill,
> >>
> >> Well, not sure if it is an hack approach. I want to login through REST
> >> without having to be redirected to keycloak login page because there is
> a
> >> part where there will be no broswer interaction.
> >> At the moment, I am logging in with authorization code flow through HTTP
> >> GETs and POSTs and scrapping the login form to get the code & state. I
> >> also
> >> send the client_session_state containing the
> >> HttpServletRequest.getSession().getId()
> >> To logout I am making a POST call to the logout endpoint sending the
> >> refresh_token and the client_id and client_secret.
> >>
> >> Is this the right way to do it?
> >> Otherwise how am I supposed to logout without a browser, in a servlet?
> >>
> >>
> >>
> >> --
> >> View this message in context: http://keycloak-user.88327.x6.
> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html
> >> Sent from the keycloak-user mailing list archive at Nabble.com.
> >> _______________________________________________
> >> keycloak-user mailing list
> >>
>
> > keycloak-user at .jboss
>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
>
> > keycloak-user at .jboss
>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> OK, thank you.
>
> Well stianst, it is a bad hack but I am getting the callback from keycloak
> to my server. I receive the {Admin URL}/k_logout call. Why doesn't it
> invalidate the token as well? When I tried the browser redirect login it
> did
> logged me out of the app and I had to login again in browser to access
> secured pages but I still could use the token anyway. The token was not
> invalidated.
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.
> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list