2

The user sends me its id and password. Then I want to check if it is valid on the keycloak. I can try to log in, but the session is created in keycloak.

I even thought about to log out after logging in. But this is very inefficient.

Is there a way to check if id and passwd are valid without creating a session? If there was such a way, my task will be very easy.

If there is no way, I have to log in instead of my user and manage the token instead. This is relatively more complex to implement.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
Ahat
  • 23
  • 1
  • 4

1 Answers1

2

As far as I know out-of-the-box there is no way to avoid creating the session.

If there is no way, I have to log in instead of my user and manage the token instead. This is relatively more complex to implement.

Not really, since, the password and username are handed to your application, you can use the following approach:

  • Create in Keycloak a client (in the appropriate Realm) with direct grand access flow enabled (know as Resource Owner Password Flow in OAuth2);
  • Set the Access token for that client to be very short living (e.g., one minute).

Make a POST request with the username and password to the client, something as follows:

curl --request POST \
        --url "http://$KEYCLOAK_HOST/auth/realms/$REALM_NAME/protocol/openid-connect/token" \
        --data client_id=$CLIENT_ID \
        --data username=$USERNAME \
        --data password=$PASSWORD \
        --data grant_type=password

If you get back as a response a token, then it means that the user credentials are valid, if not then those credentials are invalid.

In case you get back the token, you can explicitly logout the session, for instance as follows:

ACCESS_TOKEN=$(echo $TOKEN | jq -r .access_token)
SESSION_STATE=$(echo $TOKEN | jq -r .session_state)

curl -k -X DELETE "http://$KEYCLOAK_HOST/auth/admin/realms/master/sessions/$SESSION_STATE" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer $ACCESS_TOKEN"

Or since the access token is very short living, let Keycloak eventually clean up the session.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
  • Ok @dreamcrash But what if i have a limit in the user's concurrent sessions. That is my case in fact. I have a limit of 10 concurrent sessions per user. If they want to change their password, i ask them to provide the old password so I can verify it is correct. So when i try to log in with their old password and they have already 10 concurrent sessions, i get an error from keycloak. And I just have to tell the user he just cant change his password until he closes one of the opened sessioins :( – peltren Aug 25 '23 at 13:58
  • 1
    @peltren Why not redirect the user to keycloak so that can change their password there? – dreamcrash Aug 25 '23 at 20:44
  • Yes, you are right @dreamcrash. For some reasons I cant understand, my employer insists on using our own frontend with the OpenID endpoints to login instead of redirecting to keycloak. But I will reiterate about this because its really cumbersome. Thanks for your attention! – peltren Aug 26 '23 at 22:15
  • 1
    @peltren No problem, yep, it is like reinventing the wheel a bit, by redirecting to kc you will also gain features like 2 factor authentication and so on – dreamcrash Aug 27 '23 at 15:06