<html><body><div><div style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.3999996185303px;">The&nbsp;ClearAuthenticationCache command deletes the following data:</div><div style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.3999996185303px;"><div>- Session cookies</div><div>- sessionStorage</div><div>- HTTP Authentication (e.g. Digest or Basic HTTP credentials)</div><div>- HTTPS Client Certificates (e.g. sites that use certificates or SmartCards)</div></div><div style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.3999996185303px;"><br></div><div style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.3999996185303px;">But keycloak needs the session cookie, otherwise the user has to relogin after each page reload.</div><div style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.3999996185303px;"><br></div><div style="font-family: 'Helvetica Neue', Helvetica, sans-serif; line-height: 22.3999996185303px;">Isn't the clientSecret anyway public if it is send in the Authorization header?&nbsp;</div></div><div><br>Am 29. Juli 2015 um 14:27 schrieb Bill Burke &lt;bburke@redhat.com&gt;:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content">The trick you found earlier doesn't work?<br><br><a href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header" data-mce-href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header">http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header</a><br><br>Also, what if in keycloak.js if kc.clientSecret is null? Just remove <br>the client secret IMO. You shouldn't be exposing the client secret as <br>it is now public to everybody in the world....<br><br>On 7/29/2015 8:05 AM, Michael Gerber wrote:<br></span></span><blockquote class="quoted-plain-text" type="cite">I could find a solution for my IE problem.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">IE overwrites the Authorization header in the XMLHttpRequest</blockquote><blockquote class="quoted-plain-text" type="cite">(/protocol/openid-connect/token) with "Authorization: Negotiate".</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">To solve this problem, I added on the client the client_id</blockquote><blockquote class="quoted-plain-text" type="cite">and client_secret to the form and changed the authorizeClient method, so</blockquote><blockquote class="quoted-plain-text" type="cite">it checks first the form data instead of the authorization http header.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Have a look at my code:</blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c" data-mce-href="https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c">https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c</a></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Should I create a pull request for the changes or do you have a better</blockquote><blockquote class="quoted-plain-text" type="cite">solution?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">cheers</blockquote><blockquote class="quoted-plain-text" type="cite">Michael</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Am 22. Juli 2015 um 11:46 schrieb Marek Posolda &lt;<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></blockquote><blockquote class="quoted-plain-text" type="cite">&lt;mailto:mposolda@redhat.com&gt;&gt;:</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Hi Michael,</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">No idea if there is other solution, I've never tried SPNEGO with</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Internet explorer TBH :(</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Could you please create JIRA for this?</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Thanks,</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Marek</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">On 22.7.2015 10:07, Michael Gerber wrote:</blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Hi all</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">My kerberos configuration works fine with FireFox and Chrome, but it</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">does not work with IE.</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">It shows a prompt where the user has to enter a username and password.</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">I can successfully get an access code, but I can not get an access</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">token, because IE overwrites the Authorization header in the AJAX</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">request. (see</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><a href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header" data-mce-href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header">http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header</a>)</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">I can fix this by adding</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">document.execCommand('ClearAuthenticationCache', 'false');</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">above of</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">var req = new XMLHttpRequest();</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">approximately at the line 374 in the keycloack.js file.</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Is there another solution for this problem?</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">cheers</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">Michael</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite">keycloak-dev mailing list</blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><blockquote class="quoted-plain-text" type="cite"><br></blockquote></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">keycloak-dev mailing list</blockquote><blockquote class="quoted-plain-text" type="cite"><a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><span class="body-text-content"><br>-- <br>Bill Burke<br>JBoss, a division of Red Hat<br><a href="http://bill.burkecentral.com" data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>_______________________________________________<br>keycloak-dev mailing list<br><a href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></span></div></div></blockquote></div></body></html>