[keycloak-user] Question about the javascript-adapter and the check-sso option with a confidential client
Tomás García
tomas at intrahouse.com
Sat Jun 25 05:44:15 EDT 2016
Hi,
I wonder if it's possible to just check the SSO state with a
confidential client. My use case is the following one:
- I have a website which uses a confidential client to login with Keycloak.
- I want to add autologin to this website.
- So I use the javascript adapter with the following option object for
the init method: { onLoad: 'check-sso' }. The javascript adapter is
built without the secret key in its constructor (obviously if I put the
secret key in there, there's no point to use a confidential client at all).
But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR,
error=invalid_client_credentials" error.
So I don't know how feasible or secure is to just check that the
Keycloak session inside the cookie of the user's browser is still valid.
In my case, the browser doesn't need to get the user info, access token,
etc, because what I'll do is redirect the user to the Keycloak login
page with the confidential client afterwards is the operation is
successful. Since the Keycloak session is valid, Keycloak should
redirect back with the authentication code without asking credentials to
the user.
Additional note: the CORS header isn't added to 400 responses in
Keycloak, so it was a bit confusing looking at the JS console in the
browser, because it complained about CORS but it was just Keycloak
giving the 400 response without the allow-origin header.
Thanks.
--
*Tomás García Pérez
*
*Software Developer*
*Intra**House***
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160625/07289689/attachment.html
More information about the keycloak-user
mailing list