[keycloak-user] RV: How to force login (¿best practice?)

Luis Rodríguez Fernández uo67113 at gmail.com
Tue Oct 30 10:24:18 EDT 2018 

Hello Pablo,

>From your last post description it looks like that you want to check if the
user is logged or not. You can have a look at keycloak openid adaptor doc
[1]. It seems that openid implements a trick for doing it.

Hope it helps,

Luis

[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-vs-saml


El mar., 30 oct. 2018 a las 10:16, Pablo Bravo (<Pablo.Bravo at osudio.com>)
escribió:

> Hi Dimitry,
>
> Thanks for answering! I'm trying to follow your steps, but on the last
> step, I can't seem to find the way to assign the new flow in the client, I
> can't find the "Authentication Flow Overrides" setting.
>
> We actually would like to not "disable" the SSO, if we could solve the
> following use case:
>
> Step 1 -  User opens WEBAPP 1, logs in and starts using the webapp.
> Step 2 - User opens WEBAPP 2 on a different tab and he sees the "login"
> button because WEBAPP 2 knows nothing about this visitor at this point.
> Step 3 - User clicks on "login" button and it automatically gets logged
> without seen any login screen (in the background the browser went to
> keycloak, got the authentication OK and went back to the WEBAPP 2).
>
> How can we achieve that the user at the second step already gets logged in
> without having to actively click on login? This WEBAPP 2 is usable without
> login, so it shouldn't redirect all users to the login screen.
>
> Thanks a lot for your help!
>
> -----Mensaje original-----
> De: Dmitry Telegin <dt at acutus.pro>
> Enviado el: martes, 30 de octubre de 2018 5:33
> Para: Pablo Bravo <Pablo.Bravo at osudio.com>; keycloak-user at lists.jboss.org
> Asunto: Re: [keycloak-user] RV: How to force login (¿best practice?)
>
> Hello Pablo,
>
> It's a bit unusual to hear people asking for how to *disable* SSO :) but
> here you go:
> 1. in admin console, go to Authentication; 2. make a copy of Browser flow;
> 3. in this new flow, disable or delete Cookie; 4. go to Clients -> (your
> client) -> Authentication Flow Overrides, change Browser Flow to your new
> flow, click Save.
>
> After that, the client will always prompt for authentication, despite the
> previous login state.
>
> Good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-10-29 at 15:06 +0000, Pablo Bravo wrote:
> > Hi all,
> >
> > We are currently implementing keycloak and we are facing an issue that
> we are not sure what's the best way to solve it.
> >
> > We have different webapps making use of the sso and that's working fine.
> The problem we have is when we make log in using the sso in one webapp and
> then we do the same in a different webapp.
> >
> > Initially this second webapp does not know which user is coming (and
> it's not necessary to be logged in to make use of it). When clicking on
> "login", it automatically logs in the user (by making a redirection to
> keycloak and automatically logging the already logged user in the other
> webapp). This second logging happens "transparently" to the user, since the
> redirection to keycloak is very fast and it's not noticeable. This
> behaviour is not very user friendly.
> >
> > The question is: Taking into account that this second webapp can't know
> upfront which user is accessing the site (unless actively redirecting to
> keycloak), is it possible to force always the users to log in for a
> specific keycloak client? By this I mean actually ask the visitor for
> user/pw even if keycloak knows already them from other keycloak clients.
> >
> > What's the best practice for this use case?
> >
> > Thanks in advance!
> >
> > Pablo
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

More information about the keycloak-user mailing list