[keycloak-user] Redirect to keycloak only for certain content-types

Stian Thorgersen sthorger at redhat.com
Tue Oct 6 01:32:44 EDT 2015 

I'm afraid it's not possible at the moment. The only option now is to have
two different clients and either split your application into two, or you
can use the KeycloakConfigResolver to select the client based on the
content type yourself. See the multi tenancy example for an idea on how to
use it.

On 2 October 2015 at 18:24, Tair Sabirgaliev <tair.sabirgaliev at bee.kz>
wrote:

>
> Hi,
>
> Yes, it can be done with nginx, but I still hope this could be
> accomplished natively :)
>
> The general idea is this:
>
> a) if browser asks for "text/html" => act as confidential/public
> client, that is
> start keycloak login protocol
>
> b) if browser asks for "application/json” => act as bearer only client,
> and in
> case of authorization error, respond with proper 40x status
>
> This would let me build an ‘isomorphic’ JavaScript application (
> http://isomorphic.net)
>
> With keycloak-1.5.0 I see that there is no difference whether I accept
> text/html or application/json:
>
> tair$ curl -v -H 'Accept: text/html'
> http://localhost:9080/hello-world/rest/something
> *   Trying ::1...
> * connect to ::1 port 9080 failed: Connection refused
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 9080 (#0)
> > GET /hello-world/rest/something HTTP/1.1
> > Host: localhost:9080
> > User-Agent: curl/7.43.0
> > Accept: text/html
> >
> < HTTP/1.1 302 Found
> < Expires: 0
> < Cache-Control: no-cache, no-store, must-revalidate
> < X-Powered-By: Undertow/1
> < Set-Cookie:
> OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
> < Server: WildFly/9
> < Pragma: no-cache
> < Location:
> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
> < Date: Fri, 02 Oct 2015 15:53:32 GMT
> < Connection: keep-alive
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact
>
> tair$ curl -v -H 'Accept: application/json'
> http://localhost:9080/hello-world/rest/something
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 9080 (#0)
> > GET /hello-world/rest/something HTTP/1.1
> > Host: localhost:9080
> > User-Agent: curl/7.43.0
> > Accept: application/json
> >
> < HTTP/1.1 302 Found
> < Expires: 0
> < Cache-Control: no-cache, no-store, must-revalidate
> < X-Powered-By: Undertow/1
> < Set-Cookie:
> OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
> < Server: WildFly/9
> < Pragma: no-cache
> < Location:
> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
> < Date: Fri, 02 Oct 2015 15:53:41 GMT
> < Connection: keep-alive
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact
>
> Any workarounds there?
>
> --
> Tair Sabirgaliev
> Bee Software, LLP
>
>
>
> On October 2, 2015 at 20:54:01, Giriraj Sharma (giriraj.sharma27 at gmail.com
> (mailto:giriraj.sharma27 at gmail.com)) wrote:
>
> > Hi,
> >
> > One possible way is to put nginx as a reverse proxy in between browser
> and Keycloak server instance. You can dig around using $content_type
> embedded variable of nginx ngx_http_core_module or may be nginx_rewrite
> module and a simple tweak (may be an if statement in nginx server/location
> block config) will help you in achieving the required. Based on the value
> of content-type header, you can proxy-pass the requests to a different
> upstream server via nginx.
> >
> > Cheers,
> >
> >
> > On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
> > >
> > > Hi,
> > >
> > > Is it possible to setup login redirection only for certain content
> types?
> > > I want to redirect only when the browser asks for text/html. For other
> types
> > > either 40x or Authorization challenge.
> > >
> > > --
> > > Tair Sabirgaliev
> > > Bee Software, LLP
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> > --
> >
> > Giriraj Sharma
> > about.me/girirajsharma
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Giriraj Sharma,
> > Department of Computer Science
> > National Institute of Technology Hamirpur
> > Himachal Pradesh, India 177005
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151006/1c9898e4/attachment.html

More information about the keycloak-user mailing list