[keycloak-user] Login without Keycloak Login Page
ruiwp13
ruiwp_93 at hotmail.com
Wed Dec 21 04:48:18 EST 2016
stianst wrote
> Sorry, but I just can't spend time on figuring out what's going wrong when
> you are doing something bad.
>
> On 21 December 2016 at 10:24, ruiwp13 <
> ruiwp_93@
> > wrote:
>
>> stianst wrote
>> > That's an extremely bad hack! The authorization code flow is a redirect
>> > based flow and should not be used in this way.
>> >
>> > Please use the real login page as recommended. Alternatively use
>> resource
>> > owner password grant (direct grant in Keycloak). With direct grants you
>> > can
>> > only invalidate the refresh token, not the session or access token so
>> you
>> > should have a short lifespan on your access tokens.
>> >
>> > On 21 December 2016 at 09:21, ruiwp13 <
>>
>> > ruiwp_93@
>>
>> > > wrote:
>> >
>> >> Bill Burke wrote
>> >> > On 12/20/16 12:00 PM, ruiwp13 wrote:
>> >> >> Bill Burke wrote
>> >> >>> On 12/19/16 11:32 AM, ruiwp13 wrote:
>> >> >>>> Bill Burke wrote
>> >> >>>>> I looked at the image, specifically the @Path("/login") JAX-RS
>> >> method.
>> >> >>>>> What you are attempting will just not work. Period. I don't
>> think
>> >> >>>>> you
>> >> >>>>> understand how basic servlet, JAX-RS, and HTTP works along with
>> how
>> >> >>>>> Open
>> >> >>>>> ID Connection works. OpenID Connect (and SAML) require browser
>> >> >>>>> redirects. In looking at your code, you're expecting
>> >> authenticate()
>> >> >>>>> to
>> >> >>>>> redirect the browser to keycloak, have the user login, then
>> >> redirect
>> >> >>>>> back. This just doesn't do what you expect. And it shouldn't.
>> >> >>>>> Calling servletRequest.authenticate() sets a 302 response with a
>> >> >>>>> Location header pointing back to the server. That's it... You
>> >> >>>>> actually override what authenticate() did by returning a JAX-RS
>> >> >>>>> response.
>> >> >>>>> _______________________________________________
>> >> >>>>> keycloak-user mailing list
>> >> >>>>> keycloak-user at .jboss
>> >> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> >>>> Thank you for the answer Bill,
>> >> >>>>
>> >> >>>> It does redirect me to keycloak login page and then back to my
>> login
>> >> >>>> page.
>> >> >>>> The redirect back is managed by keycloak. It redirects back to
>> the
>> >> >>>> application after login. It may have something wrong when I do
>> the
>> >> >>>> authenticate(), but it does redirect me to Keycloak login page.
>> If
>> I
>> >> >>>> knew
>> >> >>>> how everything worked I wasn't here asking for help eheh. I came
>> >> here
>> >> >>>> to
>> >> >>>> know what I was doing wrong or if it was a keycloak problem.
>> >> >>>>
>> >> >>>> What is the correct way to do it then?
>> >> >>> I'm not sure what you mean by "Login without Keycloak Login Page".
>> Is
>> >> >>> this a browser application? If so, I strongly suggest you use our
>> >> >>> adapter and Keycloak Login pages. Login pages can be stylized
>> >> however
>> >> >>> you want. You are not using our adapter as it was intended to be
>> >> used
>> >> >>> so we just can't help you. You're on your own.
>> >> >>>
>> >> >>> You can do a login without keycloak login pages, but this flow is
>> for
>> >> >>> REST clients only, not browser applications. Use direct grant [1]
>> to
>> >> >>> obtain a token. Here's a crude example [2] Sorry there isn't
>> better
>> >> >>> docs on this.
>> >> >>>
>> >> >>> [1] https://tools.ietf.org/html/rfc6749#section-4.3
>> >> >>> [2]
>> >> >>> https://github.com/keycloak/keycloak/blob/master/examples/
>> >> demo-template/admin-access-app/src/main/java/org/
>> >> keycloak/example/AdminClient.java
>> >> >>>
>> >> >>>
>> >> >>> _______________________________________________
>> >> >>> keycloak-user mailing list
>> >> >>> keycloak-user at .jboss
>> >> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> >> Is there no possibility of invalidating the token or at least, set
>> >> it's
>> >> >> expiration to "now" when the user logs out?
>> >> >> Now, when I logout I get the backchannel logout request from
>> keycloak
>> >> but
>> >> >> the token is still valid. I am able to access the secured pages
>> even
>> >> >> though
>> >> >> the session in keycloak has ended.
>> >> > Are you still doing your *hack* approach?
>> >> > HttpServletRequest.getSession().invalidate() might work. Like I
>> said
>> >> > before, if you insist on doing things your own way and in a way that
>> >> was
>> >> > not intended for the adapter to work, there's not much we can help
>> you
>> >> > with.
>> >> >
>> >> > Bill
>> >> > _______________________________________________
>> >> > keycloak-user mailing list
>> >>
>> >> > keycloak-user at .jboss
>> >>
>> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> >> Hello Bill,
>> >>
>> >> Well, not sure if it is an hack approach. I want to login through REST
>> >> without having to be redirected to keycloak login page because there
>> is
>> a
>> >> part where there will be no broswer interaction.
>> >> At the moment, I am logging in with authorization code flow through
>> HTTP
>> >> GETs and POSTs and scrapping the login form to get the code & state. I
>> >> also
>> >> send the client_session_state containing the
>> >> HttpServletRequest.getSession().getId()
>> >> To logout I am making a POST call to the logout endpoint sending the
>> >> refresh_token and the client_id and client_secret.
>> >>
>> >> Is this the right way to do it?
>> >> Otherwise how am I supposed to logout without a browser, in a servlet?
>> >>
>> >>
>> >>
>> >> --
>> >> View this message in context: http://keycloak-user.88327.x6.
>> >> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2075.html
>> >> Sent from the keycloak-user mailing list archive at Nabble.com.
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >>
>>
>> > keycloak-user at .jboss
>>
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>
>> > _______________________________________________
>> > keycloak-user mailing list
>>
>> > keycloak-user at .jboss
>>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> OK, thank you.
>>
>> Well stianst, it is a bad hack but I am getting the callback from
>> keycloak
>> to my server. I receive the {Admin URL}/k_logout call. Why doesn't it
>> invalidate the token as well? When I tried the browser redirect login it
>> did
>> logged me out of the app and I had to login again in browser to access
>> secured pages but I still could use the token anyway. The token was not
>> invalidated.
>>
>>
>>
>> --
>> View this message in context: http://keycloak-user.88327.x6.
>> nabble.com/Login-without-Keycloak-Login-Page-tp1974p2078.html
>> Sent from the keycloak-user mailing list archive at Nabble.com.
>> _______________________________________________
>> keycloak-user mailing list
>>
> keycloak-user at .jboss
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at .jboss
> https://lists.jboss.org/mailman/listinfo/keycloak-user
I'm sorry, but before this "hack" I used the adapter correctly with the
browser redirect and the token wasn't invalidated. That is what I am saying.
The browser session ended, the cookies and JSESSION were cleaned and I had
to login again to access secure pages. But if I copied the token to POSTMAN
and made a request I was able to access secure pages through REST anyway.
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Login-without-Keycloak-Login-Page-tp1974p2081.html
Sent from the keycloak-user mailing list archive at Nabble.com.
More information about the keycloak-user
mailing list