[keycloak-user] Fwd: Error when session expired and ajax request execute in Keycloak?

Sebastien Blanc sblanc at redhat.com
Wed Apr 12 08:47:29 EDT 2017 

Hi Adam,

I started today to look at your ticket. First of all, thank you for the
provided example, it makes it really easier to reproduce.

So Stian is right, it's expecting a token which isn't present and therefore
returning a 401.
Stian suggested that we should maybe support ajax request secured with the
session (to support Richfaces ajax requests).

I would like to have the opinion of everyone here, is that something we
want ? Doesn't we break any specs here (I have no idea just asking) ?

Anyway I will start looking how this change could be implemented.

Seb


On Fri, Jan 13, 2017 at 9:53 AM, Adam Daduev <daduev.ad at gmail.com> wrote:

> I created JIRA bug, and add simple example.
> https://issues.jboss.org/browse/KEYCLOAK-4214
>
>
> пт, 13 янв. 2017 г. в 9:34, Stian Thorgersen <sthorger at redhat.com>:
>
> > Might be that it's expecting a token in the ajax request rather than
> > checking for a session, not 100% sure though. RichFaces won't work unless
> > we can support securing the requests from the session.
> >
> > Can you create a JIRA bug for this please? If you can attach a simple
> > example we can build and deploy to reproduce the issue that would be
> > extremely helpful and we would be able to look at it sooner.
> >
> > On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:
> >
> > After login, i get in my app, and for all my ajax request from page to
> > backing bean, i receive response 401 even if the session is still alive.
> > If removed autodetect-bearer-only option, all work fine, but going back
> to
> > the old error.
> >
> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> > realms/azovstal/protocol/openid-connect/auth?…ml&state=
> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> > 'Access-Control-Allow-Origin' header is present on the requested
> resource.
> > Origin 'http://localhost:8080' is therefore not allowed access.
> >
> > ---------- Forwarded message ---------
> > From: Adam Daduev <daduev.ad at gmail.com>
> > Date: вт, 10 янв. 2017 г. в 14:08
> > Subject: Re: [keycloak-user] Error when session expired and ajax request
> > execute in Keycloak?
> > To: <stian at redhat.com>
> >
> >
> > I tried, but does not work.
> > Firstly, i add autodetect-bearer-only option via adapter subsystem,
> wildfly
> > not started, he not know autodetect-bearer-only option, then, i added via
> > json, wildfly started and app was deployed.
> > Secondly, on my ajax request to backing bean, i receive response 401 and
> > does not happend.
> > This is my keycloak.json
> > {
> > "realm": "azovstal",
> > "auth-server-url": "http://dc09-apps-06:8090/auth",
> > "ssl-required": "none",
> > "resource": "web-test",
> > "public-client": true,
> > "use-resource-role-mappings": true,
> > "autodetect-bearer-only": true
> > }
> >
> > вт, 10 янв. 2017 г. в 10:19, <daduev.ad at gmail.com>:
> >
> > Ok, I try, thanks.
> >
> > 10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger at redhat.com>
> > написал(а):
> >
> > In that case take a look at the new autodetect-bearer-only option. You'll
> > need 2.5.0.Final for that.
> >
> > On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
> >
> > No, I have jsf 2 app with richfaces framework, which deploy on wildfly
> > 10.1.
> >
> > 9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger at redhat.com>
> > написал(а):
> >
> > [Adding list back]
> >
> > A web app redirects the user to a login page if not authenticated, while
> a
> > service should return a 401.
> >
> > It sounds like what you have is a JS application with a service backend.
> In
> > Keycloak you should have two separate types of clients for that. The JS
> > application should be a public client, while the services a bearer-only
> > client.
> >
> > On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
> >
> > Thanks for the answer.
> > Yes i have confidential client, i have web application, that asks
> > Keycloak server
> > to authenticate a user for them. As I understand, bearer-only is for web
> > services clients.
> > I probably something do not understand?
> >
> > 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
> >
> > Looks like your services are configured as confidential clients rather
> than
> > bearer-only and hence is sending a login request back rather than a 401.
> > You should either swap your service war to be a bearer-only client or use
> > the new autodetect-bearer-only option in adapters if you have both web
> > pages and services in the same war.
> >
> > On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
> >
> > Hi, can you help me!
> > When session expired and ajax request execute in Keycloak, i have error
> in
> > browser console:
> >
> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
> > realms/azovstal/protocol/openid-connect/auth?…ml&state=
> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
> > 'Access-Control-Allow-Origin' header is present on the requested
> resource.
> > Origin 'http://localhost:8080' is therefore not allowed access.
> >
> > I add in Keycloak admin console, in the client setting, Web Origins=
> > http://localhost:8080 (or *), and enabled cors in app, but still has
> error
> > in console. I used Keycloak 2.5.0
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list