7

Pretty simple question, spend a lot of time searching around.

Spring Boot 1.4.x application, with Spring Security, tried to use Keycloak for user management / authentication / authorisation, all works fantastic!

How do I avoid redirecting to Keycloak login form?

How do I implement my own authentication worlflow based on username-password input?

I see that I can ask for access-token and refresh-token, but should I implement all that token magic myself or there is some famous library people use?

Any github or examples would help. Thanks!

Dmitri Algazin
  • 3,332
  • 27
  • 30
  • Look into Oauth2.0 – Yomal Jun 24 '19 at 17:32
  • so is it possible? Any update on this? Could we implement keycloak without the redirect and use inhouse login form, tap into keycloak auth api? – Gel Apr 20 '20 at 13:32
  • yes, simple answer: use Keycloak as any OAUTH server, pass username+password, get requestToken, do control yourself timing, do refresh it if you have refreshToken. I posted some Java code in that article https://stackoverflow.com/a/58840405 . Send me private message if you need more details – Dmitri Algazin Apr 21 '20 at 15:10

1 Answers1

4

You might have a look into the Ressource Owner Password Credentials grant. It boils down to set the "Direct Access Grants Enabled " for your Keycloak client and implement the login logic yourself.

But please, PLEASE make sure to read this first: https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications

You could also use some openid connect - libraries and get the data you need for the endpoints from the .well-known endpoint of your realm.

Dominik
  • 2,801
  • 2
  • 33
  • 45
  • 2
    I'm really thankful for your answer, this article is a great starting point for a security noob! – Giovane Dec 18 '20 at 03:40