[keycloak-user] Authentication from embedded webpage
Marek Posolda
mposolda at redhat.com
Thu Apr 7 05:53:46 EDT 2016
Ah, it's maybe login iframe which is causing issues for you. Given the
nature of your app and the fact that you're not using SSO anyway in
embedded IE, I suggest to disable login iframe by add this option to
your "kcInitObj" too:
|checkLoginIframe: false
Besides that, it seems that we have a minor bug in keycloak.js that
callbacks are not called when you provide "tokens", but not "onLoad" and
IFrame is not working. Created JIRA :
https://issues.jboss.org/browse/KEYCLOAK-2765
Marek
|On 07/04/16 11:22, Subhrajyoti Moitra wrote:
> Hello Marek,
>
> I actually hadnt shown the starting script tag in the code snippet
> above. :)
>
> I checked using a debugger that the kcInitObj values are going into
> the init method correctly.
> Do I have to call some other function after init call?
> Somehow, when I skip the onLoad option, success/error methods are
> never called.
> I notice that call to this url is being made and nothing after that,
>
> http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080
>
> Does version of KC matter, I am using 1.5.1.Final?
>
> I am attaching the index.jsp for reference, since this is the file I
> am experimenting with.
> This is just an example to check if things are working or not.
>
> Thanks a lot for taking time to look into this. Really appreciate it.
>
> Thanks,
> Subhro.
>
>
>
>
>
>
> On Thu, Apr 7, 2016 at 1:36 PM, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> I think that you don't need to use "onLoad" option at all because
> you passed tokens. So you can just use something like:
>
> var kcInitObj={
> token:'<%=token%>', refreshToken:'<%=refreshToken%>',
> idToken:'<%=idToken%>' };
>
>
> Besides that, I can see that you added tag "<script>" after the
> kcInitObj is initialized. Unless I am missing something (previous
> snippet of your page etc), you will need to first add tag
> "<script>" and then initialize kcInitObj inside that as it's
> javascript object.
>
> If you have some javascript debugger (for example Firebug on FF)
> you can add breakpoint before keycloak.init call and check that
> "kcInitOptions" look as expected and really contain the 3 tokens
> you passed above.
>
> Marek
>
>
> On 07/04/16 08:19, Subhrajyoti Moitra wrote:
>> Hello Stian and Marek,
>>
>> Thanks for the clarification.
>> I am not sure what u mean by "invoke that yourself and initialize
>> keycloak.js with the tokens afterwards". U mean in the new
>> KeyCloak(...) constructor I pass the tokens and other values?
>>
>> " authenticate with both LDAP and Keycloak in the first place...."
>>
>> - The desktop windows application is a old legacy
>> application(custom dialer) used to connect to Aspect Telephony
>> server. This Aspect server requires the AD login so that agents
>> using this dialer is connected to Aspect. So I dont know how I
>> can avoid this.
>> - There is no way to pass the username/pass from the embedded KC
>> page to the "parent" windows application. Not sure if some
>> workaround is possible in the local application or not.
>>
>> Please help.
>>
>> Thanks,
>> Subhro.
>>
>>
>>
>>
>>
>> On Thu, Apr 7, 2016 at 11:18 AM, Stian Thorgersen
>> <sthorger at redhat.com <mailto:sthorger at redhat.com>> wrote:
>>
>> keycloak.js doesn't support direct grant and we won't add it.
>> You'd have to invoke that yourself and initialize keycloak.js
>> with the tokens afterwards.
>>
>> Why do you need to authenticate with both LDAP and Keycloak
>> in the first place? In either case I'd say a better way would
>> be to use what Marek suggests as option 2. User can enter
>> username/password in embedded Keycloak login page instead of
>> popup box. Using the embedded login page has a number of
>> benefits over direct grant. For example required actions,
>> recover password support, etc, etc..
>>
>> On 7 April 2016 at 07:07, Subhrajyoti Moitra
>> <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>> wrote:
>>
>> Hello Marek,
>>
>> What is the value of onLoad during keycloak init() function?
>> I tried both check-sso and login-required, but it still
>> is showing the kc login page.
>>
>> Heres what I did.
>> Using java code I get a direct access grant tokens. I get
>> response from this code as something below.
>>
>> {"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
>> blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}
>>
>> Then I am hitting the jsp page.
>> http://localhost:8080/myapp/index.jsp?tokenJson=<theabovejsonstring-cut-and-pasted>
>>
>> In index.jsp I extract the tokenJson param and parse the
>> json to further extract the accessToken, idToken and
>> refreshToken.
>>
>> A code snippet in index.jsp, like the below generates the
>> keycloak init obj.
>>
>> <%
>> String iaJsonStr =request.getParameter("tokenJson");//get
>> the token json from url String
>> token="",idToken="",refreshToken="";//init the values
>> if(!StringUtils.isEmpty(iaJsonStr)){ JsonObject iaJsonObj
>> = Json.createReader(new
>> StringReader(iaJsonStr)).readObject();
>> token=iaJsonObj.getString("access_token");//extract
>> access
>> refreshToken=iaJsonObj.getString("refresh_token");//extract
>> refresh idToken=iaJsonObj.getString("id_token");//extract
>> id }if(!StringUtils.isEmpty(token) &&
>> !StringUtils.isEmpty(refreshToken) &&
>> !StringUtils.isEmpty(idToken)){ %>var kcInitObj={
>> onLoad:'check-sso',
>> token:'<%=token%>',
>> refreshToken:'<%=refreshToken%>',
>> idToken:'<%=idToken%>' };
>> <% }else{ %>var kcInitObj={
>> onLoad:'check-sso' };
>> <% } %>
>>
>> .......
>> .....
>>
>> <script>
>> var keycloak = Keycloak('/myapp/keycloak-dev.json');
>> keycloak.init(kcInitObj).success(function(authenticated) { if(!authenticated){
>> keycloak.login(); }else{
>>
>> //call loadProfile and get the user details.
>>
>> ).error(....)
>>
>> </script>
>>
>>
>> This is still redirecting me to the login page. Do I have
>> to do something in the client setup?
>>
>> So close,, yet so far... Please help..
>>
>> Thanks and lot for your attention.
>> Subhro.
>>
>>
>> On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra
>> <subhrajyotim at gmail.com <mailto:subhrajyotim at gmail.com>>
>> wrote:
>>
>> Thanks a million Marek for setting us in the right
>> direction.
>>
>> "...application is able to access the javascript
>> state from embedded IE"- this is not possible
>> currently, hence 1st solution wont work.
>>
>> We will follow the 2nd way to do this.
>>
>> So using "direct access grant
>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html>"
>> i get the required JSON token data as mentioned.
>> Then I pass this data to the jsp page (embedded in
>> IE), using URL params.
>> The JSP page pulls out the required data from the URL
>> params, and then inits keycloak.js.
>> in keycloak init function i pass the token, idToken
>> and refreshToken values.
>>
>> Hopefully this works, trying it now!
>>
>> Thanks a lot again for the pointers.
>>
>> Subhro.
>>
>> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda
>> <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>>
>> Do you have the "control" under the application?
>> Is it possible to propagate security contexts
>> from application to embedded IE or viceversa?
>>
>> In theory what can work is either:
>> - You will skip step1 and don't popup
>> username/password box. Instead you will just
>> authenticate in step2 inside IE and then
>> propagate the context ( token ) to step1. This is
>> possible just if application is able to access
>> the javascript state from embedded IE.
>>
>> - If you can propagate just from desktop to IE,
>> then in step1 you wwill configure your
>> application to send the request for
>> username/password authentication to Keycloak via
>> direct access grant (instead of sending
>> username+password directly to AD/LDAP). Once you
>> receive token from direct access grant, you can
>> use it inside IE in step2 ( keycloak.js has
>> possibility to be initialized with token. You
>> just need to pass the token and refreshToken as
>> arguments to keycloak.init . Then keycloak.js
>> won't redirect you to login screen )
>>
>> Marek
>>
>>
>> On 06/04/16 11:24, Subhrajyoti Moitra wrote:
>>> Hello Team,
>>>
>>> I have a standalone windows desktop application,
>>> that authenticates against an AD/LDAP server.
>>> The application popups a username/password box,
>>> and submits it to the LDAP for authentication.
>>> The same AD/LDAP server is also synced with a
>>> Keycloak installation.
>>>
>>> The windows application embeds the IE browser
>>> control and shows a jsp page.
>>> This jsp page is protected using keycloak js
>>> adapter. Obviously the user is re-directed to
>>> the keycloak login page. So the user has to
>>> login twice, once using the application popup
>>> and other in the embedded jsp, after getting
>>> redirected to the keycloak login page.
>>>
>>> I dont want to re-prompt the user for relogin,
>>> since he has already authenticated against the
>>> AD server.
>>> Is there a way to not re-prompt the user, when
>>> the embedded IE requests the secure JSP?
>>>
>>> Please help, as we are not able to come up with
>>> a solution for the same.
>>> Any pointers how we can avoid the 2nd
>>> authentication.
>>>
>>> Thanks,
>>> Subhro.
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> <mailto:keycloak-user at lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> <mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/9cc66c7c/attachment-0001.html
More information about the keycloak-user
mailing list