[keycloak-user] Redirect to keycloak only for certain content-types
Tair Sabirgaliev
tair.sabirgaliev at bee.kz
Wed Oct 7 09:30:13 EDT 2015
Is KeycloakConfigResolver coming in 1.6?
--
Tair Sabirgaliev
Bee Software, LLP
On October 6, 2015 at 11:32:44, Stian Thorgersen (sthorger at redhat.com) wrote:
I'm afraid it's not possible at the moment. The only option now is to have two different clients and either split your application into two, or you can use the KeycloakConfigResolver to select the client based on the content type yourself. See the multi tenancy example for an idea on how to use it.
On 2 October 2015 at 18:24, Tair Sabirgaliev <tair.sabirgaliev at bee.kz> wrote:
Hi,
Yes, it can be done with nginx, but I still hope this could be accomplished natively :)
The general idea is this:
a) if browser asks for "text/html" => act as confidential/public client, that is
start keycloak login protocol
b) if browser asks for "application/json” => act as bearer only client, and in
case of authorization error, respond with proper 40x status
This would let me build an ‘isomorphic’ JavaScript application (http://isomorphic.net)
With keycloak-1.5.0 I see that there is no difference whether I accept text/html or application/json:
tair$ curl -v -H 'Accept: text/html' http://localhost:9080/hello-world/rest/something
* Trying ::1...
* connect to ::1 port 9080 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: text/html
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
< Date: Fri, 02 Oct 2015 15:53:32 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact
tair$ curl -v -H 'Accept: application/json' http://localhost:9080/hello-world/rest/something
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: application/json
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
< Date: Fri, 02 Oct 2015 15:53:41 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact
Any workarounds there?
--
Tair Sabirgaliev
Bee Software, LLP
On October 2, 2015 at 20:54:01, Giriraj Sharma (giriraj.sharma27 at gmail.com(mailto:giriraj.sharma27 at gmail.com)) wrote:
> Hi,
>
> One possible way is to put nginx as a reverse proxy in between browser and Keycloak server instance. You can dig around using $content_type embedded variable of nginx ngx_http_core_module or may be nginx_rewrite module and a simple tweak (may be an if statement in nginx server/location block config) will help you in achieving the required. Based on the value of content-type header, you can proxy-pass the requests to a different upstream server via nginx.
>
> Cheers,
>
>
> On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
> >
> > Hi,
> >
> > Is it possible to setup login redirection only for certain content types?
> > I want to redirect only when the browser asks for text/html. For other types
> > either 40x or Authorization challenge.
> >
> > --
> > Tair Sabirgaliev
> > Bee Software, LLP
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>
> Giriraj Sharma
> about.me/girirajsharma
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Giriraj Sharma,
> Department of Computer Science
> National Institute of Technology Hamirpur
> Himachal Pradesh, India 177005
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151007/be5a071e/attachment.html
More information about the keycloak-user
mailing list