Hi,
We’ve been using Keycloak for a while now and are looking into the possibility to transfer away from using actual Keycloak themes and replace them with client-sided implementation (login, logout, reset password, different sso’s, update password after login, …).
So far we’ve managed to login using the REST api endpoints, but we’ve noticed we’re missing a lot of functionality that’s just there with the Keycloak themes. For example, if the “update password” required action is set on the user that’s trying to login, then logging in through the REST endpoints just isn’t possible and there’s no way that we know of to complete this action without using the Keycloak themes.
Is there any way to have all Keycloak functionality on our webapp without using the default Keycloak themes?
Other than reimplenting everything yourself, no.
And what you are doing is against the spirit of oauth and saml: Both assume that there is always a 3-way communication between client, backend and the authentication service (e.g. keycloak) and neither the client nor the backend ever see client login details. They only see the generated tokens. So you are circumventing an essential security aspect here, IMHO.
You should consider just creating a keycloak theme that nicely blends with your remaining designs.
1 Like
Exactly!
And more concrete named: you are creating a man-in-the-middle-scenario by going your way. The reason to have an Identity Provider (no matter which protocol used) is to have the user only enter its credential and sensitive data at the secure server (aka IdP), nowhere else. All other parties just taking part in this authentication, nothing more. They don’t have to deal in any way with authentication itself.