[keycloak-user] JavaScript client, iframe and IE

Thu Apr 14 10:00:26 EDT 2016

so, that header can contain any non-sense, magic value, heh.. 
similar, like java have magic number "0xCAFEBABE"

Lähettäjä: Stian Thorgersen [mailto:sthorger at redhat.com] 
Lähetetty: 14. huhtikuuta 2016 16:55
Vastaanottaja: Jukka Sirviö
Kopio: Thomas Raehalme; keycloak-user
Aihe: Re: [keycloak-user] JavaScript client, iframe and IE

I've got no clue what the value should be, tried to search on Google, but doesn't make much sense to me.

On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio at mipro.fi> wrote:
there is discussion on this issue, also on stack overflow
http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-have-an-infinite-loop

“Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR LEG"”

Lähettäjä: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Puolesta Thomas Raehalme
Lähetetty: 14. huhtikuuta 2016 16:22
Vastaanottaja: Stian Thorgersen
Kopio: keycloak-user
Aihe: Re: [keycloak-user] JavaScript client, iframe and IE

I created KEYCLOAK-2828 for this issue and will do a PR as well.

What do you think the value should be? As I wrote earlier it does not seem to make a difference to IE.

Best regards,
Thomas

On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
Can you create a JIRA for it please? If you fancy doing a PR you can add the header to LoginStatusIframeEndpoint.

On 14 April 2016 at 15:09, Thomas Raehalme <thomas.raehalme at aitiofinland.com> wrote:
On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <sthorger at redhat.com> wrote:
What do you mean about "if the URL is something like"?

The only iframe Keycloak uses is in the JavaScript adapter and it's only the session iframe. That would be the only place it would be relevant for Keycloak to set P3P header, but don't think it's need AFAIK it works just fine on IE.

Sorry for being a little too vague.

Among other UIs our application has a web front-end based on AngularJS and it's utilizing the JavaScript adapter for authentication. When I login to the application I can inspect the HTML and see an <iframe /> element with the following URL:

https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-status-iframe.html?client_id=xxxx&origin=xxxx

Without the P3P header there is an eternal loop between our web front-end and Keycloak where the browser is being redirected from one to the other. After adding the P3P header the problem was solved.

Best regards,
Thomas

________________________________

Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista tietoa, joka on tarkoitettu
vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin lähettäjälle tapahtuneesta
virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen, kopioiminen, jakelu tai muu
käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti kielletty.

This message (including any attachments) may contain confidential information intended for
the person or entity to which it is addressed. If you are not the intended recipient, notify the
sender and delete this message immediately. Notice that disclosing, copying, distributing or any
other use of the message and its information, or taking any action based on it, is strictly prohibited.

________________________________