<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 29.7.2015 16:37, Michael Gerber
wrote:<br>
</div>
<blockquote cite="mid:416acc5a-f78d-47dd-b33a-03912d857fcc@me.com"
type="cite">
<div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;">The ClearAuthenticationCache
command deletes the following data:</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;">
<div>- Session cookies</div>
<div>- sessionStorage</div>
<div>- HTTP Authentication (e.g. Digest or Basic HTTP
credentials)</div>
<div>- HTTPS Client Certificates (e.g. sites that use
certificates or SmartCards)</div>
</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"><br>
</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;">But keycloak
needs the session cookie, otherwise the user has to relogin
after each page reload.</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"><br>
</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;">Isn't the
clientSecret anyway public if it is send in the Authorization
header? <br>
</div>
</div>
</blockquote>
Yes, it is for JS clients. That's why it's better to not use
clientSecret with javascript based clients, but instead mark those
clients as "public" in keycloak admin console. In this case
keycloak.js will use client_id parameter instead of Authorization
header. Can this work for you?<br>
<br>
Thing is, that currently AuthorizeClientUtil will likely
automatically send 401 if it found "Authorization: Negotiate ..."
header even if you have public client and you want to use client_id
(I did not test it, but guessing from looking at the code). So I've
created the simple patch to avoid it:
<a class="moz-txt-link-freetext" href="https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454354aa891903">https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454354aa891903</a><br>
<br>
So if you do the steps like:<br>
1) make your client as public<br>
2) Apply my patch<br>
<br>
will it help?<br>
<br>
I am still seeing potential issues if your javascript client needs
to send REST requests authorized by "Authorization: Bearer" header
with accessToken. Not sure if IE doesn't again overwrite the header
with "Authorization: Negotiate". In this case REST request would
fail. But hopefully not... If you have opportunity to try it, it
will be cool.<br>
<br>
Thanks,<br>
Marek<br>
<br>
<blockquote cite="mid:416acc5a-f78d-47dd-b33a-03912d857fcc@me.com"
type="cite">
<div><br>
Am 29. Juli 2015 um 14:27 schrieb Bill Burke
<a class="moz-txt-link-rfc2396E" href="mailto:bburke@redhat.com"><bburke@redhat.com></a>:<br>
<br>
</div>
<div>
<blockquote type="cite">
<div class="msg-quote">
<div class="_stretch"><span class="body-text-content"><span
class="body-text-content">The trick you found earlier
doesn't work?<br>
<br>
<a moz-do-not-send="true"
href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header"
data-mce-href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header">http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header</a><br>
<br>
Also, what if in keycloak.js if kc.clientSecret is
null? Just remove <br>
the client secret IMO. You shouldn't be exposing the
client secret as <br>
it is now public to everybody in the world....<br>
<br>
On 7/29/2015 8:05 AM, Michael Gerber wrote:<br>
</span></span>
<blockquote class="quoted-plain-text" type="cite">I could
find a solution for my IE problem.</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">IE
overwrites the Authorization header in the
XMLHttpRequest</blockquote>
<blockquote class="quoted-plain-text" type="cite">(/protocol/openid-connect/token)
with "Authorization: Negotiate".</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">To solve
this problem, I added on the client the client_id</blockquote>
<blockquote class="quoted-plain-text" type="cite">and
client_secret to the form and changed the
authorizeClient method, so</blockquote>
<blockquote class="quoted-plain-text" type="cite">it
checks first the form data instead of the authorization
http header.</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">Have a
look at my code:</blockquote>
<blockquote class="quoted-plain-text" type="cite"><a
moz-do-not-send="true"
href="https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c"
data-mce-href="https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c">https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c</a></blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">Should I
create a pull request for the changes or do you have a
better</blockquote>
<blockquote class="quoted-plain-text" type="cite">solution?</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">cheers</blockquote>
<blockquote class="quoted-plain-text" type="cite">Michael</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">Am 22.
Juli 2015 um 11:46 schrieb Marek Posolda <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></blockquote>
<blockquote class="quoted-plain-text" type="cite"><a class="moz-txt-link-rfc2396E" href="mailto:mposolda@redhat.com"><mailto:mposolda@redhat.com></a>>:</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Hi
Michael,</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">No
idea if there is other solution, I've never tried
SPNEGO with</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Internet
explorer TBH :(</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Could
you please create JIRA for this?</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Thanks,</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Marek</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">On
22.7.2015 10:07, Michael Gerber wrote:</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Hi
all</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">My
kerberos configuration works fine with FireFox and
Chrome, but it</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">does
not work with IE.</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">It
shows a prompt where the user has to enter a
username and password.</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">I
can successfully get an access code, but I can not
get an access</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">token,
because IE overwrites the Authorization header in
the AJAX</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">request.
(see</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><a
moz-do-not-send="true"
href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header"
data-mce-href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header">http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header</a>)</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">I
can fix this by adding</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">document.execCommand('ClearAuthenticationCache',
'false');</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">above
of</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">var
req = new XMLHttpRequest();</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">approximately
at the line 374 in the keycloack.js file.</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Is
there another solution for this problem?</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">cheers</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">Michael</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">keycloak-dev
mailing list</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><a
moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote>
<blockquote class="quoted-plain-text" type="cite">keycloak-dev
mailing list</blockquote>
<blockquote class="quoted-plain-text" type="cite"><a
moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text" type="cite"><a
moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
<blockquote class="quoted-plain-text" type="cite"><br>
</blockquote>
<span class="body-text-content"><br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</span></div>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>