[keycloak-dev] Kerberos with IE does not work

Michael Gerber gerbermichi at me.com
Wed Jul 29 08:05:03 EDT 2015


I could find a solution for my IE problem.

IE overwrites the Authorization header in the XMLHttpRequest (/protocol/openid-connect/token) with "Authorization: Negotiate". 

To solve this problem, I added on the client the client_id and client_secret to the form and changed the authorizeClient method, so it checks first the form data instead of the authorization http header.

Have a look at my code: 
https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c

Should I create a pull request for the changes or do you have a better solution?

cheers
Michael



Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda at redhat.com>:

Hi Michael,

No idea if there is other solution, I've never tried SPNEGO with Internet explorer TBH :(

Could you please create JIRA for this? 

Thanks,
Marek

On 22.7.2015 10:07, Michael Gerber wrote:
Hi all

My kerberos configuration works fine with FireFox and Chrome, but it does not work with IE.
It shows a prompt where the user has to enter a username and password.

I can successfully get an access code, but I can not get an access token, because IE overwrites the Authorization header in the AJAX request. (see http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header)

I can fix this by adding 
document.execCommand('ClearAuthenticationCache', 'false');
above of 
var req = new XMLHttpRequest();
approximately at the line 374 in the keycloack.js file.

Is there another solution for this problem?

cheers
Michael


_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150729/83f61473/attachment.html 


More information about the keycloak-dev mailing list