[keycloak-user] Authentication from embedded webpage

Subhrajyoti Moitra subhrajyotim at gmail.com
Thu Apr 7 01:07:56 EDT 2016 

Hello Marek,

What is the value of onLoad during keycloak init() function?
I tried both check-sso and login-required, but it still is showing the kc
login page.

Heres what I did.
Using java code I get a direct access grant tokens. I get response from
this code as something below.

{"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}

Then I am hitting the jsp page.
http://localhost:8080/myapp/index.jsp?tokenJson=
<theabovejsonstring-cut-and-pasted>

In index.jsp I extract the tokenJson param and parse the json to further
extract the accessToken, idToken and refreshToken.

A code snippet in index.jsp, like the below generates the keycloak init obj.

<%

String iaJsonStr =request.getParameter("tokenJson");//get the token
json from url
String token="",idToken="",refreshToken="";//init the values
if(!StringUtils.isEmpty(iaJsonStr)){
    JsonObject iaJsonObj = Json.createReader(new
StringReader(iaJsonStr)).readObject();
    token=iaJsonObj.getString("access_token");//extract access
    refreshToken=iaJsonObj.getString("refresh_token");//extract refresh
    idToken=iaJsonObj.getString("id_token");//extract id
}
if(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(refreshToken)
&& !StringUtils.isEmpty(idToken)){
%>
var kcInitObj={
    onLoad:'check-sso',
    token:'<%=token%>',
    refreshToken:'<%=refreshToken%>',
    idToken:'<%=idToken%>'
};
<%
}else{
%>
var kcInitObj={
    onLoad:'check-sso'
};
<%
}
%>

.......
.....

<script>
       var keycloak = Keycloak('/myapp/keycloak-dev.json');
   keycloak.init(kcInitObj).success(function(authenticated) {
          if(!authenticated){
              keycloak.login();
          }else{

            //call loadProfile and get the user details.

          ).error(....)

</script>


This is still redirecting me to the login page. Do I have to do something
in the client setup?

So close,, yet so far... Please help..

Thanks and lot for your attention.
Subhro.


On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra <subhrajyotim at gmail.com>
wrote:

> Thanks a million Marek for setting us in the right direction.
>
> "...application is able to access the javascript state from embedded IE"-
> this is not possible currently, hence 1st solution wont work.
>
> We will follow the 2nd way to do this.
>
> So using "direct access grant
> <http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html>"
> i get the required JSON token data as mentioned.
> Then I pass this data to the jsp page (embedded in IE), using URL params.
> The JSP page pulls out the required data from the URL params, and then
> inits keycloak.js.
> in keycloak init function i pass the token, idToken and refreshToken
> values.
>
> Hopefully this works, trying it now!
>
> Thanks a lot again for the pointers.
>
> Subhro.
>
> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Do you have the "control" under the application? Is it possible to
>> propagate security contexts from application to embedded IE or viceversa?
>>
>> In theory what can work is either:
>> - You will skip step1 and don't popup username/password box. Instead you
>> will just authenticate in step2 inside IE and then propagate the context (
>> token ) to step1. This is possible just if application is able to access
>> the javascript state from embedded IE.
>>
>> - If you can propagate just from desktop to IE, then in step1 you wwill
>> configure your application to send the request for username/password
>> authentication to Keycloak via direct access grant (instead of sending
>> username+password directly to AD/LDAP). Once you receive token from direct
>> access grant, you can use it inside IE in step2 ( keycloak.js has
>> possibility to be initialized with token. You just need to pass the token
>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't
>> redirect you to login screen )
>>
>> Marek
>>
>>
>> On 06/04/16 11:24, Subhrajyoti Moitra wrote:
>>
>> Hello Team,
>>
>> I have a standalone windows desktop application, that authenticates
>> against an AD/LDAP server. The application popups a username/password box,
>> and submits it to the LDAP for authentication.
>> The same AD/LDAP server is also synced with a Keycloak installation.
>>
>> The windows application embeds the IE browser control and shows a jsp
>> page.
>> This jsp page is protected using keycloak js adapter. Obviously the user
>> is re-directed to the keycloak login page. So the user has to login twice,
>> once using the application popup and other in the embedded jsp, after
>> getting redirected to the keycloak login page.
>>
>> I dont want to re-prompt the user for relogin, since he has already
>> authenticated against the AD server.
>> Is there a way to not re-prompt the user, when the embedded IE requests
>> the secure JSP?
>>
>> Please help, as we are not able to come up with a solution for the same.
>> Any pointers how we can avoid the 2nd authentication.
>>
>> Thanks,
>> Subhro.
>>
>>
>> _______________________________________________
>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/c67f3b3d/attachment-0001.html

More information about the keycloak-user mailing list