[keycloak-dev] Kerberos with IE does not work

Marek Posolda mposolda at redhat.com
Mon Aug 3 07:36:12 EDT 2015 

On 29.7.2015 16:37, Michael Gerber wrote:
> The ClearAuthenticationCache command deletes the following data:
> - Session cookies
> - sessionStorage
> - HTTP Authentication (e.g. Digest or Basic HTTP credentials)
> - HTTPS Client Certificates (e.g. sites that use certificates or 
> SmartCards)
>
> But keycloak needs the session cookie, otherwise the user has to 
> relogin after each page reload.
>
> Isn't the clientSecret anyway public if it is send in the 
> Authorization header?
Yes, it is for JS clients. That's why it's better to not use 
clientSecret with javascript based clients, but instead mark those 
clients as "public" in keycloak admin console. In this case keycloak.js 
will use client_id parameter instead of Authorization header. Can this 
work for you?

Thing is, that currently AuthorizeClientUtil will likely automatically 
send 401 if it found "Authorization: Negotiate ..." header even if you 
have public client and you want to use client_id (I did not test it, but 
guessing from looking at the code). So I've created the simple patch to 
avoid it: 
https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454354aa891903

So if you do the steps like:
1) make your client as public
2) Apply my patch

will it help?

I am still seeing potential issues if your javascript client needs to 
send REST requests authorized by "Authorization: Bearer" header with 
accessToken. Not sure if IE doesn't again overwrite the header with 
"Authorization: Negotiate". In this case REST request would fail. But 
hopefully not... If you have opportunity to try it, it will be cool.

Thanks,
Marek

>
> Am 29. Juli 2015 um 14:27 schrieb Bill Burke <bburke at redhat.com>:
>
>> The trick you found earlier doesn't work?
>>
>> http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header
>>
>> Also, what if in keycloak.js if kc.clientSecret is null? Just remove
>> the client secret IMO. You shouldn't be exposing the client secret as
>> it is now public to everybody in the world....
>>
>> On 7/29/2015 8:05 AM, Michael Gerber wrote:
>>> I could find a solution for my IE problem.
>>>
>>> IE overwrites the Authorization header in the XMLHttpRequest
>>> (/protocol/openid-connect/token) with "Authorization: Negotiate".
>>>
>>> To solve this problem, I added on the client the client_id
>>> and client_secret to the form and changed the authorizeClient method, so
>>> it checks first the form data instead of the authorization http header.
>>>
>>> Have a look at my code:
>>> https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c
>>>
>>> Should I create a pull request for the changes or do you have a better
>>> solution?
>>>
>>> cheers
>>> Michael
>>>
>>>
>>>
>>> Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda at redhat.com 
>>> <mailto:mposolda at redhat.com>
>>> <mailto:mposolda at redhat.com>>:
>>>
>>>> Hi Michael,
>>>>
>>>> No idea if there is other solution, I've never tried SPNEGO with
>>>> Internet explorer TBH :(
>>>>
>>>> Could you please create JIRA for this?
>>>>
>>>> Thanks,
>>>> Marek
>>>>
>>>> On 22.7.2015 10:07, Michael Gerber wrote:
>>>>> Hi all
>>>>>
>>>>> My kerberos configuration works fine with FireFox and Chrome, but it
>>>>> does not work with IE.
>>>>> It shows a prompt where the user has to enter a username and password.
>>>>>
>>>>> I can successfully get an access code, but I can not get an access
>>>>> token, because IE overwrites the Authorization header in the AJAX
>>>>> request. (see
>>>>> http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header)
>>>>>
>>>>> I can fix this by adding
>>>>> document.execCommand('ClearAuthenticationCache', 'false');
>>>>> above of
>>>>> var req = new XMLHttpRequest();
>>>>> approximately at the line 374 in the keycloack.js file.
>>>>>
>>>>> Is there another solution for this problem?
>>>>>
>>>>> cheers
>>>>> Michael
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> -- 
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150803/6515439c/attachment-0001.html

More information about the keycloak-dev mailing list