<div dir="ltr">I had this problem with my angular app :)<br>Keycloak return "redirect_fragment" param with "#_=_"</div><br><div class="gmail_quote">On Thu, Mar 26, 2015 at 1:07 PM Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Honestly, your descriptions don't make sense at all...<br>
<br>
1. admin console redirects to keycloak with a redirect uri of<br>
/auth/admin/master/console.<br>
2. Keycloak stores this redirect uri as-is, keycloak also stores "state"<br>
param.<br>
3. keycloak redirects to facebook<br>
4. facebook redirects to keycloak callback url<br>
5. keycloak builds a redirect URI back to admin console based on<br>
original stored redirect uri and "state" param and "code".<br>
6. keylcoak redirects back to admin console<br>
<br>
How could Facebook insert #_=_? Is there some browser/fragment magic<br>
happening?<br>
<br>
<br>
On 3/26/2015 11:44 AM, Stian Thorgersen wrote:<br>
> No, we can sort it out in Keycloak as Facebook redirects to Keycloak, not the application.<br>
><br>
> ----- Original Message -----<br>
>> From: "Leonardo Loch Zanivan" <<a href="mailto:leonardo.zanivan@gmail.com" target="_blank">leonardo.zanivan@gmail.com</a>><br>
>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>><br>
>> Cc: "Bill Burke" <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>, <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>> Sent: Thursday, 26 March, 2015 4:41:50 PM<br>
>> Subject: Re: [keycloak-dev] can't figure this out<br>
>><br>
>> I think it would need some tweak in the JavaScript adapter.<br>
>><br>
>> On Thu, Mar 26, 2015 at 12:25 PM Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>> wrote:<br>
>><br>
>>> Great, so we just need to tweak the Facebook provider to strip that off<br>
>>> before redirecting to the app<br>
>>><br>
>>> ----- Original Message -----<br>
>>>> From: "Leonardo Loch Zanivan" <<a href="mailto:leonardo.zanivan@gmail.com" target="_blank">leonardo.zanivan@gmail.com</a>><br>
>>>> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>>, "Bill Burke" <<br>
>>> <a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br>
>>>> Cc: <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>>> Sent: Thursday, 26 March, 2015 4:21:49 PM<br>
>>>> Subject: Re: [keycloak-dev] can't figure this out<br>
>>>><br>
>>>> Ops, you need to remove after keycloak success. Here is an example:<br>
>>>><br>
>>>> keycloakAuth.init({<br>
>>>> onLoad: 'login-required'<br>
>>>> }).success(function(<u></u>authenticated) {<br>
>>>> //fix facebook oauth<br>
>>>> if (window.location.hash === '#_=_') {<br>
>>>> window.location.hash = '';<br>
>>>> }<br>
>>>> });<br>
>>>><br>
>>>><br>
>>>> On Thu, Mar 26, 2015 at 12:19 PM Leonardo Loch Zanivan <<br>
>>>> <a href="mailto:leonardo.zanivan@gmail.com" target="_blank">leonardo.zanivan@gmail.com</a>> wrote:<br>
>>>><br>
>>>>> Facebook adds "#_=_" at the end of redirect URL for "security<br>
>>> reasons", so<br>
>>>>> SPA apps won't work unless you remove it.<br>
>>>>><br>
>>>>> In Angular apps you should remove before call keycloak:<br>
>>>>><br>
>>>>> if (window.location.hash === '#_=_') {<br>
>>>>> window.location.hash = '';<br>
>>>>> }<br>
>>>>><br>
>>>>> On Thu, Mar 26, 2015 at 12:14 PM Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>><br>
>>>>> wrote:<br>
>>>>><br>
>>>>>> AFAIK Facebook is OAuth2 + custom weird stuff that looks like but<br>
>>> isn't<br>
>>>>>> OpenID Connect<br>
>>>>>><br>
>>>>>> ----- Original Message -----<br>
>>>>>>> From: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>><br>
>>>>>>> To: "Bill Burke" <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br>
>>>>>>> Cc: <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>>>>>> Sent: Thursday, 26 March, 2015 4:11:11 PM<br>
>>>>>>> Subject: Re: [keycloak-dev] can't figure this out<br>
>>>>>>><br>
>>>>>>> I remember seeing the '#_=_' crap a while ago, I believe that was<br>
>>> before<br>
>>>>>>> Pedro started brokering.<br>
>>>>>>><br>
>>>>>>> ----- Original Message -----<br>
>>>>>>>> From: "Bill Burke" <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>><br>
>>>>>>>> To: <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>>>>>>> Sent: Thursday, 26 March, 2015 2:54:27 PM<br>
>>>>>>>> Subject: [keycloak-dev] can't figure this out<br>
>>>>>>>><br>
>>>>>>>> I'm going crazy... I'm testing facebook login with the admin<br>
>>> console<br>
>>>>>> as<br>
>>>>>>>> the test app.<br>
>>>>>>>><br>
>>>>>>>> 1. Facebook auth succeeds<br>
>>>>>>>> 2. Redirect back to admin console<br>
>>>>>>>> 3. For some reason admin console doesn't like the redirect URL and<br>
>>>>>> does<br>
>>>>>>>> a redirect back to keycloak login with a fragment of #_=_<br>
>>>>>>>> 4. I'm already logged in, so redirect back<br>
>>>>>>>> 5. Success, but the fragment is #_=_<br>
>>>>>>>><br>
>>>>>>>> Login works for github though...I'm freakin stumped. The initial<br>
>>>>>>>> redirect back to the admin console is the same exact redirect uri<br>
>>> for<br>
>>>>>>>> both github and facebook.<br>
>>>>>>>><br>
>>>>>>>> Has anybody seen this before?<br>
>>>>>>>><br>
>>>>>>>> --<br>
>>>>>>>> Bill Burke<br>
>>>>>>>> JBoss, a division of Red Hat<br>
>>>>>>>> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
>>>>>>>> ______________________________<u></u>_________________<br>
>>>>>>>> keycloak-dev mailing list<br>
>>>>>>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-dev</a><br>
>>>>>>>><br>
>>>>>>> ______________________________<u></u>_________________<br>
>>>>>>> keycloak-dev mailing list<br>
>>>>>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-dev</a><br>
>>>>>>><br>
>>>>>> ______________________________<u></u>_________________<br>
>>>>>> keycloak-dev mailing list<br>
>>>>>> <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>>>>> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/<u></u>mailman/listinfo/keycloak-dev</a><br>
>>>>>><br>
>>>>><br>
>>>><br>
>>><br>
>><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
</blockquote></div>