Keycloak login page

Question

I want to launch SSO from my application to Cloud Elements page. To do the SSO i am using Keycoak. When the user login to my application and want to go to CloudElements page, the user is redirected to the keycloak login page. But i want to avoid the keycloak login page.

I followed the "Avoid keycloak default login page and use project login page" link and getting the response from keycloak as below.

now my questions is... Is the user authorized now? Because still the user is redirected to keycloak login page. Kindly help...

have you tried on browser? I am not sure but I think you will be able to test redirections through postman. — tryingToLearn, Mar 12 '19 at 05:27
i tried on browser and i am getting the same response. however it still redirected tp keycloak login page. Thatswhy i having the doubt, whether the user is authorized are not.. — Maria, Mar 12 '19 at 05:59

score 1 · Answer 1 · answered Oct 02 '19 at 00:58

To log in keycloak user must pass "login page" (See OIDC specs). Keycloak can emit token pair responses only when corresponding user establishes SSO user session inside keycloak. Consider session_state field in JWT tokens as identifier of SSO session in Keycloak. So lets summarize it:

Application protected by Keycloak requires AccessToken to handle requests.
Token can be obtained only when Keycloak establishes internal SSO session for user (by user i mean account record)
Step 2 could be archived when user logs in Keycloak via login page.

BUT!!! There is also a direct grant flow that allow target application to authenticate user in keycloak without redirecting to Keycloak login page. In this case user presents required credentials directly to application and application exchanges this credentials to token pair in Keycloak (this would also establish SSO session in Keycloak behind the scenes).

If you want to use direct_grant flow you should trust to target application and be confident that user credentials would not be leaked.

Keycloak login page

1 Answers1