[keycloak-user] Authentication from embedded webpage
Subhrajyoti Moitra
subhrajyotim at gmail.com
Thu Apr 7 05:22:38 EDT 2016
Hello Marek,
I actually hadnt shown the starting script tag in the code snippet above. :)
I checked using a debugger that the kcInitObj values are going into the
init method correctly.
Do I have to call some other function after init call?
Somehow, when I skip the onLoad option, success/error methods are never
called.
I notice that call to this url is being made and nothing after that,
http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080
Does version of KC matter, I am using 1.5.1.Final?
I am attaching the index.jsp for reference, since this is the file I am
experimenting with.
This is just an example to check if things are working or not.
Thanks a lot for taking time to look into this. Really appreciate it.
Thanks,
Subhro.
On Thu, Apr 7, 2016 at 1:36 PM, Marek Posolda <mposolda at redhat.com> wrote:
> I think that you don't need to use "onLoad" option at all because you
> passed tokens. So you can just use something like:
>
> var kcInitObj={
> token:'<%=token%>',
> refreshToken:'<%=refreshToken%>',
> idToken:'<%=idToken%>'};
>
>
> Besides that, I can see that you added tag "<script>" after the kcInitObj
> is initialized. Unless I am missing something (previous snippet of your
> page etc), you will need to first add tag "<script>" and then initialize
> kcInitObj inside that as it's javascript object.
>
> If you have some javascript debugger (for example Firebug on FF) you can
> add breakpoint before keycloak.init call and check that "kcInitOptions"
> look as expected and really contain the 3 tokens you passed above.
>
> Marek
>
>
> On 07/04/16 08:19, Subhrajyoti Moitra wrote:
>
> Hello Stian and Marek,
>
> Thanks for the clarification.
> I am not sure what u mean by "invoke that yourself and initialize
> keycloak.js with the tokens afterwards". U mean in the new KeyCloak(...)
> constructor I pass the tokens and other values?
>
> " authenticate with both LDAP and Keycloak in the first place...."
>
> - The desktop windows application is a old legacy application(custom
> dialer) used to connect to Aspect Telephony server. This Aspect server
> requires the AD login so that agents using this dialer is connected to
> Aspect. So I dont know how I can avoid this.
> - There is no way to pass the username/pass from the embedded KC page to
> the "parent" windows application. Not sure if some workaround is possible
> in the local application or not.
>
> Please help.
>
> Thanks,
> Subhro.
>
>
>
>
>
> On Thu, Apr 7, 2016 at 11:18 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> keycloak.js doesn't support direct grant and we won't add it. You'd have
>> to invoke that yourself and initialize keycloak.js with the tokens
>> afterwards.
>>
>> Why do you need to authenticate with both LDAP and Keycloak in the first
>> place? In either case I'd say a better way would be to use what Marek
>> suggests as option 2. User can enter username/password in embedded Keycloak
>> login page instead of popup box. Using the embedded login page has a number
>> of benefits over direct grant. For example required actions, recover
>> password support, etc, etc..
>>
>> On 7 April 2016 at 07:07, Subhrajyoti Moitra < <subhrajyotim at gmail.com>
>> subhrajyotim at gmail.com> wrote:
>>
>>> Hello Marek,
>>>
>>> What is the value of onLoad during keycloak init() function?
>>> I tried both check-sso and login-required, but it still is showing the
>>> kc login page.
>>>
>>> Heres what I did.
>>> Using java code I get a direct access grant tokens. I get response from
>>> this code as something below.
>>>
>>> {"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
>>> blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}
>>>
>>> Then I am hitting the jsp page.
>>> <http://localhost:8080/myapp/index.jsp?tokenJson=>
>>> http://localhost:8080/myapp/index.jsp?tokenJson=
>>> <theabovejsonstring-cut-and-pasted>
>>>
>>> In index.jsp I extract the tokenJson param and parse the json to further
>>> extract the accessToken, idToken and refreshToken.
>>>
>>> A code snippet in index.jsp, like the below generates the keycloak init
>>> obj.
>>>
>>> <%String iaJsonStr =request.getParameter("tokenJson");//get the token json from urlString token="",idToken="",refreshToken="";//init the valuesif(!StringUtils.isEmpty(iaJsonStr)){ JsonObject iaJsonObj = Json.createReader(new StringReader(iaJsonStr)).readObject(); token=iaJsonObj.getString("access_token");//extract access refreshToken=iaJsonObj.getString("refresh_token");//extract refresh idToken=iaJsonObj.getString("id_token");//extract id}
>>> if(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(refreshToken) && !StringUtils.isEmpty(idToken)){%>var kcInitObj={
>>> onLoad:'check-sso',
>>> token:'<%=token%>',
>>> refreshToken:'<%=refreshToken%>',
>>> idToken:'<%=idToken%>'};<%}else{%>var kcInitObj={
>>> onLoad:'check-sso'};<%}%>
>>>
>>> .......
>>> .....
>>>
>>> <script>
>>> var keycloak = Keycloak('/myapp/keycloak-dev.json');
>>> keycloak.init(kcInitObj).success(function(authenticated) {
>>> if(!authenticated){
>>> keycloak.login();
>>> }else{
>>>
>>> //call loadProfile and get the user details.
>>>
>>> ).error(....)
>>>
>>> </script>
>>>
>>>
>>> This is still redirecting me to the login page. Do I have to do
>>> something in the client setup?
>>>
>>> So close,, yet so far... Please help..
>>>
>>> Thanks and lot for your attention.
>>> Subhro.
>>>
>>>
>>> On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra <
>>> subhrajyotim at gmail.com> wrote:
>>>
>>>> Thanks a million Marek for setting us in the right direction.
>>>>
>>>> "...application is able to access the javascript state from embedded
>>>> IE"- this is not possible currently, hence 1st solution wont work.
>>>>
>>>> We will follow the 2nd way to do this.
>>>>
>>>> So using "direct access grant
>>>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html>"
>>>> i get the required JSON token data as mentioned.
>>>> Then I pass this data to the jsp page (embedded in IE), using URL
>>>> params.
>>>> The JSP page pulls out the required data from the URL params, and then
>>>> inits keycloak.js.
>>>> in keycloak init function i pass the token, idToken and refreshToken
>>>> values.
>>>>
>>>> Hopefully this works, trying it now!
>>>>
>>>> Thanks a lot again for the pointers.
>>>>
>>>> Subhro.
>>>>
>>>> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda < <mposolda at redhat.com>
>>>> mposolda at redhat.com> wrote:
>>>>
>>>>> Do you have the "control" under the application? Is it possible to
>>>>> propagate security contexts from application to embedded IE or viceversa?
>>>>>
>>>>> In theory what can work is either:
>>>>> - You will skip step1 and don't popup username/password box. Instead
>>>>> you will just authenticate in step2 inside IE and then propagate the
>>>>> context ( token ) to step1. This is possible just if application is able to
>>>>> access the javascript state from embedded IE.
>>>>>
>>>>> - If you can propagate just from desktop to IE, then in step1 you
>>>>> wwill configure your application to send the request for username/password
>>>>> authentication to Keycloak via direct access grant (instead of sending
>>>>> username+password directly to AD/LDAP). Once you receive token from direct
>>>>> access grant, you can use it inside IE in step2 ( keycloak.js has
>>>>> possibility to be initialized with token. You just need to pass the token
>>>>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't
>>>>> redirect you to login screen )
>>>>>
>>>>> Marek
>>>>>
>>>>>
>>>>> On 06/04/16 11:24, Subhrajyoti Moitra wrote:
>>>>>
>>>>> Hello Team,
>>>>>
>>>>> I have a standalone windows desktop application, that authenticates
>>>>> against an AD/LDAP server. The application popups a username/password box,
>>>>> and submits it to the LDAP for authentication.
>>>>> The same AD/LDAP server is also synced with a Keycloak installation.
>>>>>
>>>>> The windows application embeds the IE browser control and shows a jsp
>>>>> page.
>>>>> This jsp page is protected using keycloak js adapter. Obviously the
>>>>> user is re-directed to the keycloak login page. So the user has to login
>>>>> twice, once using the application popup and other in the embedded jsp,
>>>>> after getting redirected to the keycloak login page.
>>>>>
>>>>> I dont want to re-prompt the user for relogin, since he has already
>>>>> authenticated against the AD server.
>>>>> Is there a way to not re-prompt the user, when the embedded IE
>>>>> requests the secure JSP?
>>>>>
>>>>> Please help, as we are not able to come up with a solution for the
>>>>> same.
>>>>> Any pointers how we can avoid the 2nd authentication.
>>>>>
>>>>> Thanks,
>>>>> Subhro.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/319da38d/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: index.jsp
Type: application/octet-stream
Size: 7846 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/319da38d/attachment-0001.obj
More information about the keycloak-user
mailing list