[keycloak-user] JavaScript client, iframe and IE

Thomas Raehalme thomas.raehalme at aitiofinland.com
Fri Apr 15 08:46:44 EDT 2016


On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> I think we need to make it configurable. Could use messages from login
> theme as a simple solution?
>
> sessionIframeP3P=CP="This is not a P3P policy!"
>

Using theme properties was a good idea.

Is there an existing test I could extend to verify the presence of the
header?





> On 14 April 2016 at 16:06, Thomas Raehalme <
> thomas.raehalme at aitiofinland.com> wrote:
>
>> Well I didn't mean exactly the same message with a link and everything,
>> but just something like "This is not a policy definition."
>>
>> Best regards,
>> Thomas
>> On Apr 14, 2016 17:03, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>
>>> I don't think the Google way is good for us as we'd need to have a
>>> similar page. Further, it wouldn't be correct to have a Keycloak page that
>>> describes the policy for other companies. So we need to figure out what the
>>> correct value should be I think.
>>>
>>> On 14 April 2016 at 16:00, Thomas Raehalme <
>>> thomas.raehalme at aitiofinland.com> wrote:
>>>
>>>> W3C has the spec but since nobody is really using this I don't think
>>>> the value matters. But instead of making up some policy definition I think
>>>> that the Google way would be the best. What do you think?
>>>>
>>>> Best regards,
>>>> Thomas
>>>> On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>>>
>>>>> I've got no clue what the value should be, tried to search on Google,
>>>>> but doesn't make much sense to me.
>>>>>
>>>>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio at mipro.fi> wrote:
>>>>>
>>>>>> there is discussion on this issue, also on stack overflow
>>>>>>
>>>>>> http://stackoverflow.com/questions/32120129/keycloak-is-causing-ie-to-have-an-infinite-loop
>>>>>>
>>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR
>>>>>> UNR LEG"”
>>>>>>
>>>>>>
>>>>>> Lähettäjä: keycloak-user-bounces at lists.jboss.org [mailto:
>>>>>> keycloak-user-bounces at lists.jboss.org] Puolesta Thomas Raehalme
>>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>>> Vastaanottaja: Stian Thorgersen
>>>>>> Kopio: keycloak-user
>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>>>>
>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>>>>
>>>>>> What do you think the value should be? As I wrote earlier it does not
>>>>>> seem to make a difference to IE.
>>>>>>
>>>>>> Best regards,
>>>>>> Thomas
>>>>>>
>>>>>>
>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <
>>>>>> sthorger at redhat.com> wrote:
>>>>>> Can you create a JIRA for it please? If you fancy doing a PR you can
>>>>>> add the header to LoginStatusIframeEndpoint.
>>>>>>
>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>>> thomas.raehalme at aitiofinland.com> wrote:
>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <
>>>>>> sthorger at redhat.com> wrote:
>>>>>> What do you mean about "if the URL is something like"?
>>>>>>
>>>>>> The only iframe Keycloak uses is in the JavaScript adapter and it's
>>>>>> only the session iframe. That would be the only place it would be relevant
>>>>>> for Keycloak to set P3P header, but don't think it's need AFAIK it works
>>>>>> just fine on IE.
>>>>>>
>>>>>> Sorry for being a little too vague.
>>>>>>
>>>>>> Among other UIs our application has a web front-end based on
>>>>>> AngularJS and it's utilizing the JavaScript adapter for authentication.
>>>>>> When I login to the application I can inspect the HTML and see an <iframe
>>>>>> /> element with the following URL:
>>>>>>
>>>>>>
>>>>>> https://keycloak-server/auth/realms/xxxx/protocol/openid-connect/login-status-iframe.html?client_id=xxxx&origin=xxxx
>>>>>>
>>>>>> Without the P3P header there is an eternal loop between our web
>>>>>> front-end and Keycloak where the browser is being redirected from one to
>>>>>> the other. After adding the P3P header the problem was solved.
>>>>>>
>>>>>> Best regards,
>>>>>> Thomas
>>>>>>
>>>>>>
>>>>>>
>>>>>> ________________________________
>>>>>>
>>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
>>>>>> luottamuksellista tietoa, joka on tarkoitettu
>>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita
>>>>>> viestin lähettäjälle tapahtuneesta
>>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
>>>>>> julkaiseminen, kopioiminen, jakelu tai muu
>>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti
>>>>>> kielletty.
>>>>>>
>>>>>> This message (including any attachments) may contain confidential
>>>>>> information intended for
>>>>>> the person or entity to which it is addressed. If you are not the
>>>>>> intended recipient, notify the
>>>>>> sender and delete this message immediately. Notice that disclosing,
>>>>>> copying, distributing or any
>>>>>> other use of the message and its information, or taking any action
>>>>>> based on it, is strictly prohibited.
>>>>>>
>>>>>> ________________________________
>>>>>>
>>>>>
>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160415/24695e24/attachment.html 


More information about the keycloak-user mailing list