<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thanks for the confirm! <br>
<br>
I've added the patch to keycloak master and will be available in
1.5. I've also resolved jira
<a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-1595">https://issues.jboss.org/browse/KEYCLOAK-1595</a> .<br>
<br>
Thanks,<br>
Marek<br>
<br>
On 4.8.2015 07:58, Michael Gerber wrote:<br>
</div>
<blockquote cite="mid:99ebd612-3c27-4094-87db-27213e4064ff@me.com"
type="cite">
<div>
<div>Hi Marek,</div>
<div><br>
</div>
<div>Your proposed patch works perfectly fine.</div>
<div>IE only overwrites the header for the keycloak REST
services, the other REST services work fine. </div>
<div><br>
</div>
<div>Thank you for your help.</div>
<div>Michael</div>
</div>
<div><br>
Am 03. August 2015 um 13:36 schrieb Marek Posolda
<a class="moz-txt-link-rfc2396E" href="mailto:mposolda@redhat.com"><mposolda@redhat.com></a>:<br>
<br>
</div>
<div>
<div>
<blockquote type="cite">
<div class="msg-quote">
<div class="moz-cite-prefix">On 29.7.2015 16:37, Michael
Gerber wrote:<br>
</div>
<blockquote type="cite">
<div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"
data-mce-style="font-family: 'Helvetica Neue',
Helvetica, sans-serif; line-height:
22.3999996185303px;">The ClearAuthenticationCache
command deletes the following data:</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"
data-mce-style="font-family: 'Helvetica Neue',
Helvetica, sans-serif; line-height:
22.3999996185303px;">
<div>- Session cookies</div>
<div>- sessionStorage</div>
<div>- HTTP Authentication (e.g. Digest or Basic
HTTP credentials)</div>
<div>- HTTPS Client Certificates (e.g. sites that
use certificates or SmartCards)</div>
</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"
data-mce-style="font-family: 'Helvetica Neue',
Helvetica, sans-serif; line-height:
22.3999996185303px;"><br>
</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"
data-mce-style="font-family: 'Helvetica Neue',
Helvetica, sans-serif; line-height:
22.3999996185303px;">But keycloak needs the session
cookie, otherwise the user has to relogin after each
page reload.</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"
data-mce-style="font-family: 'Helvetica Neue',
Helvetica, sans-serif; line-height:
22.3999996185303px;"><br>
</div>
<div style="font-family: 'Helvetica Neue', Helvetica,
sans-serif; line-height: 22.3999996185303px;"
data-mce-style="font-family: 'Helvetica Neue',
Helvetica, sans-serif; line-height:
22.3999996185303px;">Isn't the clientSecret anyway
public if it is send in the Authorization header? <br>
</div>
</div>
</blockquote>
Yes, it is for JS clients. That's why it's better to not
use clientSecret with javascript based clients, but
instead mark those clients as "public" in keycloak admin
console. In this case keycloak.js will use client_id
parameter instead of Authorization header. Can this work
for you?<br>
<br>
Thing is, that currently AuthorizeClientUtil will likely
automatically send 401 if it found "Authorization:
Negotiate ..." header even if you have public client and
you want to use client_id (I did not test it, but guessing
from looking at the code). So I've created the simple
patch to avoid it: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454354aa891903"
data-mce-href="https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454354aa891903">https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454354aa891903</a><br>
<br>
So if you do the steps like:<br>
1) make your client as public<br>
2) Apply my patch<br>
<br>
will it help?<br>
<br>
I am still seeing potential issues if your javascript
client needs to send REST requests authorized by
"Authorization: Bearer" header with accessToken. Not sure
if IE doesn't again overwrite the header with
"Authorization: Negotiate". In this case REST request
would fail. But hopefully not... If you have opportunity
to try it, it will be cool.<br>
<br>
Thanks,<br>
Marek<br>
<br>
<blockquote type="cite">
<div><br>
Am 29. Juli 2015 um 14:27 schrieb Bill Burke <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:bburke@redhat.com"
data-mce-href="mailto:bburke@redhat.com"><bburke@redhat.com></a>:<br>
<br>
</div>
<div>
<blockquote type="cite">
<div class="msg-quote">
<div class="_stretch"><span
class="body-text-content"><span
class="body-text-content">The trick you
found earlier doesn't work?<br>
<br>
<a moz-do-not-send="true"
href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header"
data-mce-href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header">http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header</a><br>
<br>
Also, what if in keycloak.js if
kc.clientSecret is null? Just remove <br>
the client secret IMO. You shouldn't be
exposing the client secret as <br>
it is now public to everybody in the
world....<br>
<br>
On 7/29/2015 8:05 AM, Michael Gerber wrote:<br>
</span></span>
<blockquote class="quoted-plain-text"
type="cite">I could find a solution for my IE
problem.</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">IE overwrites the Authorization
header in the XMLHttpRequest</blockquote>
<blockquote class="quoted-plain-text"
type="cite">(/protocol/openid-connect/token)
with "Authorization: Negotiate".</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">To solve this problem, I added on
the client the client_id</blockquote>
<blockquote class="quoted-plain-text"
type="cite">and client_secret to the form and
changed the authorizeClient method, so</blockquote>
<blockquote class="quoted-plain-text"
type="cite">it checks first the form data
instead of the authorization http header.</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">Have a look at my code:</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><a moz-do-not-send="true"
href="https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c"
data-mce-href="https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c">https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c</a></blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">Should I create a pull request for
the changes or do you have a better</blockquote>
<blockquote class="quoted-plain-text"
type="cite">solution?</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">cheers</blockquote>
<blockquote class="quoted-plain-text"
type="cite">Michael</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">Am 22. Juli 2015 um 11:46 schrieb
Marek Posolda <<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></blockquote>
<blockquote class="quoted-plain-text"
type="cite"><a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:mposolda@redhat.com"
data-mce-href="mailto:mposolda@redhat.com"><mailto:mposolda@redhat.com></a>>:</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Hi Michael,</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">No idea if there is other
solution, I've never tried SPNEGO with</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Internet explorer TBH :(</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Could you please create JIRA for
this?</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Thanks,</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Marek</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">On 22.7.2015 10:07, Michael
Gerber wrote:</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Hi all</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">My kerberos configuration
works fine with FireFox and Chrome, but it</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">does not work with IE.</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">It shows a prompt where the
user has to enter a username and password.</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">I can successfully get an
access code, but I can not get an access</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">token, because IE overwrites
the Authorization header in the AJAX</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">request. (see</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><a moz-do-not-send="true"
href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header"
data-mce-href="http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header">http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header</a>)</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">I can fix this by adding</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">document.execCommand('ClearAuthenticationCache',
'false');</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">above of</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">var req = new
XMLHttpRequest();</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">approximately at the line 374
in the keycloack.js file.</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Is there another solution for
this problem?</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">cheers</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">Michael</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">_______________________________________________</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">keycloak-dev mailing list</blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<blockquote class="quoted-plain-text"
type="cite">_______________________________________________</blockquote>
<blockquote class="quoted-plain-text"
type="cite">keycloak-dev mailing list</blockquote>
<blockquote class="quoted-plain-text"
type="cite"><a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a></blockquote>
<blockquote class="quoted-plain-text"
type="cite"><a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></blockquote>
<blockquote class="quoted-plain-text"
type="cite"><br>
</blockquote>
<span class="body-text-content"><br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
data-mce-href="http://bill.burkecentral.com">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</span></div>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org" data-mce-href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
<style class="_message-styles">div.msg-quote { background-color:#FFFFFF;}
</style></blockquote>
<br>
</body>
</html>