[keycloak-user] Disabling status cookie

Bill Burke bburke at redhat.com
Tue Feb 16 07:38:43 EST 2016


See our direct grant API.    Here's an example:

https://github.com/keycloak/keycloak/blob/master/examples/demo-template/admin-access-app/src/main/java/org/keycloak/example/AdminClient.java

I *STRONGLY* suggest you do not use the direct grant API for 
browser-based applications.  Otherwise you lose 90% of the features of 
Keycloak.  Use the direct grant API for REST clients, that's what it was 
designed for.

On 2/16/2016 1:59 AM, Sarp Kaya wrote:
> Hello,
>
> I want my users to be able to login via API calls with our without 
> requiring a browser. I looked at examples and found customer-app-cli, 
> however I realised that even with manual login, the current workflow 
> requires a browser to login. I found that every time when
> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob
>
> this page loads we get a form with a different code. In theory we 
> should be able to just stick username and password in the body and be 
> able to get 302 response. However when I get the curl equivalent of 
> what browser is doing I’ve gotten the below:
>
> curl 
> 'http://localhost:8080/auth/realms/demo/login-actions/authenticate?code=oY8nS7rFOlwYHNJwWS6kcw88jbxluo8EuDmZ_o5TWsw.431db3e8-6234-4ba5-8818-ed0335b8ee72&execution=08d88824-1286-4455-b5d1-07240bda8efd' 
> -H 'Cookie: 
> KEYCLOAK_STATE_CHECKER=a2teB_8_wfAfD9VtmV0DJhqDEuM9187r58mVW24Gfrg; 
> KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjQzMWRiM2U4LTYyMzQtNGJhNS04ODE4LWVkMDMzNWI4ZWU3MiIsImNpZCI6ImN1c3RvbWVyLXBvcnRhbC1jbGkiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtby9wcm90b2NvbC9vcGVuaWQtY29ubmVjdC9vYXV0aC9vb2IiLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiYTA1MzFlNTYtZjk0Zi00NmM4LWFlNGUtNjQ4MDUyNDc2ZjEwIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy9kZW1vIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJ1cm46aWV0Zjp3ZzpvYXV0aDoyLjA6b29iIn19.B5vuMj-fafRAS0gJ6m-OrU5cX0atABuWy252y5k7jr0' 
> -H 'Origin: http://localhost:8080' -H 'Accept-Encoding: gzip, deflate' 
> -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' 
> -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 
> Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 
> 'Accept: 
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' 
> -H 'Cache-Control: max-age=0' -H 'Referer: 
> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=customer-portal-cli&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob' 
> -H 'Connection: keep-alive' --data 
> 'username=sarp&password=pass1234&login=Log+in' —compressed
>
> I was hoping not to use the cookies and just change the code bit with 
> a new request to the page mentioned above and expect 302 response, 
> however I am getting 500 responses saying error occurred instead.
>
> I looked on admin management console, but could not really find a way 
> to disable cookies for the given client or the realm. I am guessing 
> that one of those cookies are encrypting something that is required 
> and not using it simply prevents logging in successfully. So how can I 
> disable this requirement?
>
> Kind Regards,
> Sarp Kaya
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160216/af8e3043/attachment.html 


More information about the keycloak-user mailing list