[keycloak-user] Validate User Credentials Without Creating a Session

Pedro Igor Silva psilva at redhat.com
Fri Feb 2 09:46:46 EST 2018


Same thing with SAML ECP. This profile is basically a POST binding over
SOAP.

On Fri, Feb 2, 2018 at 12:18 PM, Josh Cain <jcain at redhat.com> wrote:

> Would be +1 for reviewing an option to alter this behavior.
>
> Doing work again on docker flows, and they're truly stateless clients
> (you can send session cookies/info, but they'll just be discarded by the
> client).  We get the session creation overhead for no reason.
>
> I also think of SAML ECP profile (if anyone is even using that these
> days).  Does that need to create a session?
>
> Josh Cain
> Senior Software Applications Engineer, RHCE
> Red Hat North America
> jcain at redhat.com IRC: jcain
>
> On 02/02/2018 07:23 AM, Pedro Igor Silva wrote:
> > We have a similar behavior when doing client credentials where sessions
> are
> > created on every single invocation to the token endpoint.
> >
> > For grant types other than authoriation code, can we review this
> behavior ?
> > I think I sent an e-mail about this some time ago ...
> >
> >
> > On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
> >
> >> The easiest is to login through directGrant and then logout session with
> >> the refreshToken. We have an example, which is doing that and shows
> >> logout as well - It's admin-access-app from the preconfigured-demo
> >> examples.
> >>
> >> The place where the credentials are checked is
> >> Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing
> >> further how to get there and what code calls this. If it's too much
> >> trouble, I suggest to stick with directGrant + logout approach.
> >>
> >> Marek
> >>
> >> On 01/02/18 17:25, Scott Finlay wrote:
> >>>
> >>> Hi Marek,
> >>>
> >>>
> >>> Thanks for the suggestion. Could you maybe point me in the right
> >>> direction there?
> >>>
> >>> I'm having some difficulties finding the actual place where
> >>> credentials are checked
> >>>
> >>> in the Keycloak code and where the session is being created.
> >>>
> >>>
> >>> Additionally I've looked the documentation
> >>> (http://www.keycloak.org/docs/3.1/server_development/topics/
> >> extensions.html)
> >>>
> >>> but I'm having trouble understanding from that what these pieces
> >>> described are actually for,
> >>> where the entry point is, and how I can connect it to the actual
> >>> Keycloak storage. I also don't
> >>> really know how to actually integrate the endpoint into Keycloak once
> >>> I have one built
> >>>
> >>> Regards,
> >>> Scott
> >>>
> >>>
> >>> ------------------------------------------------------------
> ------------
> >>> *From:* Marek Posolda <mposolda at redhat.com>
> >>> *Sent:* Wednesday, January 24, 2018 1:59:05 PM
> >>> *To:* Scott Finlay; keycloak-user at lists.jboss.org
> >>> *Subject:* Re: [keycloak-user] Validate User Credentials Without
> >>> Creating a Session
> >>> Hi Scott,
> >>>
> >>> it's not available OOTB, but you can add your own REST endpoint to
> >>> verify username/password. Or alternatively you can just do directGrant
> >>> login (OAuth2 Resource Owner Password Credentials Grant) and then
> logout
> >>> session.
> >>>
> >>> Marek
> >>>
> >>> On 23/01/18 09:49, Scott Finlay wrote:
> >>>> Hi,
> >>>>
> >>>>
> >>>> We're currently using Keycloak 2.5.5.Final, and in this version it's
> >>> not possible
> >>>>
> >>>> to validate a user's credentials (username / password combination)
> >>> without
> >>>>
> >>>> actually logging the user in which results in a session (and our
> >>> sessions are long-
> >>>>
> >>>> lived). Is there any new functionality introduced in the later
> >>> versions of  Keycloak
> >>>>
> >>>> to validate the credentials without actually logging the user in?
> >>>>
> >>>>
> >>>> Our use-case is that we have very long-lived tokens, but we want to
> >>> require the
> >>>>
> >>>> user to re-enter his/her password in order to perform some certain
> >>> sensitive tasks
> >>>>
> >>>> such as changing the password or username.
> >>>>
> >>>>
> >>>> If such functionality  is not available, would it be possible to add
> >>> this?
> >>>>
> >>>>
> >>>> Regards,
> >>>>
> >>>> Scott
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list