Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
Sending users to OpenID Connect login by default
We've set up Liferay with OpenID Connect login via our existing Keycloak installation, and it works well.
However, in order to log in via this route, users have to click the "OpenID Connect" link on the login page, then select our provider (even though it's the only one in the list) and click another button to trigger login.
Is there a way to link users directly to logging in via an OpenID Connect provider and skip the two intermediate screens?
However, in order to log in via this route, users have to click the "OpenID Connect" link on the login page, then select our provider (even though it's the only one in the list) and click another button to trigger login.
Is there a way to link users directly to logging in via an OpenID Connect provider and skip the two intermediate screens?
Maybe you can try to prepopulate the login page with the desired query parameters.
So you could create a page "/login" and place the login portlet here. After that, configure the page and in the advanced settings for the page you will find "query string". Here you can place parameters that are set automatically when you open the "/login" page.
For me the following query string worked to open the OpenID view automatically:
You probably have to check which parameters work for you and your Liferay version. The above is working for Liferay 7.1.3 GA4.
So you could create a page "/login" and place the login portlet here. After that, configure the page and in the advanced settings for the page you will find "query string". Here you can place parameters that are set automatically when you open the "/login" page.
For me the following query string worked to open the OpenID view automatically:
p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=0&p_p_mode=view&p_p_state=pop_up&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Fopenid_connect_request&saveLastPath=falseYou probably have to check which parameters work for you and your Liferay version. The above is working for Liferay 7.1.3 GA4.
I have a few ideas, but I want to make sure I understand a few things first.
1. Do users have to be logged in to access the site? (meaning, there are no "public" pages other than the one used to login?)
2. Is this the only means of logging in? or do you have/plan to have another one at some point?
1. Do users have to be logged in to access the site? (meaning, there are no "public" pages other than the one used to login?)
2. Is this the only means of logging in? or do you have/plan to have another one at some point?
Thanks both.
Dominik, I've worked out the query parameters to deep-link people directly to the OpenID view (though I didn't know about the configurable query string - thanks!). However, that still leaves them having to click the button, even though our provider is the only entry in the list.
Andrew :
(1) Yes, only public page is the login page
(2) This is the only means of logging in (though I suppose for bootstrapping/initial setup it would be good for there to be some sort of back door for logging in as the "test" user or similar. That can probably be avoided by creating that initial user in our OpenID Connect system (Keycloak) though).
Dominik, I've worked out the query parameters to deep-link people directly to the OpenID view (though I didn't know about the configurable query string - thanks!). However, that still leaves them having to click the button, even though our provider is the only entry in the list.
Andrew :
(1) Yes, only public page is the login page
(2) This is the only means of logging in (though I suppose for bootstrapping/initial setup it would be good for there to be some sort of back door for logging in as the "test" user or similar. That can probably be avoided by creating that initial user in our OpenID Connect system (Keycloak) though).
One of my devs eventually worked out that there is a URL which triggers the OIDC login via a GET request, avoiding the pointless click. Setting auth.login.url to this bypasses the built-in Liferay stuff entirely.
[code] /home/-/login/openid_connect_request?p_p_state=maximized&_com_liferay_login_web_portlet_LoginPortlet_saveLastPath=false&_com_liferay_login_web_portlet_LoginPortlet_redirect=/\
&_com_liferay_login_web_portlet_LoginPortlet_OPEN_ID_CONNECT_PROVIDER_NAME=MyProvider
I also came across the following blog, written for integrations with Keycloak https://lifedev-solutions.blogspot.com/2020/03/liferay-keycloak-integration-sso-and.html
Hi Jack, We are using SSO using OpenID through Keycloak. This is what we used as a guide:https://lifedev-solutions.blogspot.com/2019/10/liferay-keycloak-integration-using.html
Copyright © 2025 Liferay, Inc
• Privacy Policy
Powered by Liferay™