I have user details (username, first name, last name, (no password)) in hand in my react app and I want to create a valid session in keycloak without user needing to log-in / sign-in (basically I don't need keycloak screen).
My end goal is to get access an access_token so I can use this access_token to validate the user using the/auth/realms/master/protocol/openid-connect/userinfo endpoint.
Is this possible? How can I achieve this?
Related
I have keycloak version 20 installed, and api request to authenticate with username and password via REST API. I want to add remember_me to the request body, so I can extend the users refresh token (if the user wants it). Is that possible? I don't want to extend the refresh token lifespan for all sessions.
The API call is to the URI
/realms/{realm}/protocol/openid-connect/token
I also enabled the remember me for the realm, and it is available if I authenticate in the browser.
I have keycloak version 20 installed, and api request to authenticate
with username and password via REST API. I want to add remember_me to the request body, so I can extend the users refresh token (if the user wants it). Is that possible?
I am afraid this is not possible with Direct Access Grant Flow
From the Keycloak documentation section about the Remember Me functionality:
A logged-in user closing their browser destroys their session, and
that user must log in again. You can set Keycloak to keep the user’s
login session open if that user clicks the Remember Me checkbox upon
login. This action turns the login cookie from a session-only cookie
to a persistence cookie.
In Keycloak this feature relies on the browser cookies to work. For example, if you login with a user in one browser and then try to access the same account in another browser you are forced to authenticate the user again. It only works in the same browser (if cookies are enabled) because it was there where the cookie was originally created. Consequently, out-of-the-box, I do not see how this would work with the Direct Access Grant flow.
Have a scenario where I need to get the access token based on the user details.
There are few users configured in the connected app and there is already logic to retrieve the access tokens for the default users.
How can I pass the user name dynamically to the jwtUsername attribute and get the access token based on the user name?
I'm using keycloak, but I don't understand how the verification of authentication is made after the user authenticate in the app.
For example I have an app secured with keycloak, when a user try to access it, he/she will be redirected to authentication page, then (I guess, and correct me If I'm wrong) the user will have a token that need to be send with every request.
On a complete system secured with Keycloak:
A user clicks from a public page to navigate to a protected area within the application. The link to this protected area is in your application settings in keycloak admin console.
The user will be redirected indeed to the Keycloak authentication page. After providing Username and password, Keycloak redirects the user back to your application again with a code that is valid to a very short period of time.
The application communicates this code to Keycloak along with the Application ID and the Application secret, then Keycloak replies with the Access token, ID token, and a Refresh token. your Application will need only one of these tokens to see which claims the user has, and according to the claims, the user will be granted or denied access to protected URL(s)
Authorization code/standard flow:
From your app you're redirected to Keycloak's login page.
You give your username and password to Keycloak, and if these are correct, you will get a redirection to your app, and get an authorization code.
Your app send this auth_code and its id and secret to keycloak, and keycloak give you a token.
There are two more flows: resource owner credentials, and client credentials.
We have Rest Api created by Laravel 4 Php framework. We are using combination of scope and grant to prevent users accessing some resources. But we are having problem preventing one user accessing another user data.
For Example- in our application a user can log in using email and password and we use password grant type to create access_token.
user can see their access token by using browser debugging tolls. Now, that user can use postman or curl request with that access_token to get other users data. What is the best way to prevent user showing other user data ?
When user login into the system, create access_token with roles and permissions return that access token to the user. When user calls the API with the access_token, then check that users is having the permissions to access the requested data.
If that user not having permissions then return with some error message.
You can create filters for this, In which you can check access_token permissions.
Userful like for Laravel routing- http://laravel.com/docs/4.2/routing
I have a game where I want to track user logins/installs. I need to be able to detect when a user was just redirected to my app from the authenticated referral dialog. Since we cannot specify our own redirect_uri after the user authenticates, nor does Facebook append any sort of flag for canvas apps - is there any way to achieve this?
3 Auth Token Parameter: If Authenticated Referrals is enabled and when a
user authorizes your app through the in-line Auth Dialog, we will pass
your app the Auth Token in the format specified here. Available
formats: URI Fragment: if your app is using client-side
authentication, Query String: if your app is using server-side
authentication. If your app is a canvas app, we will not use this
setting and will use the "signed_request" as the response type
automatically.
Based on that information from http://developers.facebook.com/docs/opengraph/authentication/, I would suggest you read the signed_request and see if the auth token is there. If the token is there and that id is already in your data store, you dont log is as a new app install. If the token is there and that id is not already in your data store, then you can add the user to your list of app users in your data store and track it as a new install.