[keycloak-user] Identity provider, keycloak js adapter and session management

Peter Nalyvayko petervn1 at yahoo.com
Fri Jul 7 12:06:50 EDT 2017


Some additional info: we can also reproduce the same behavior using the Pairwise subject identifier, i.e. users keep getting logged out after 5 seconds. 

--------------------------------------------
On Thu, 7/6/17, Peter Nalyvayko <petervn1 at yahoo.com> wrote:

 Subject: Identity provider, keycloak js adapter and session management
 To: keycloak-user at lists.jboss.org
 Date: Thursday, July 6, 2017, 12:10 PM
 
 Hi,
 
 We've hit a bit of a snag while setting
 up our one page js client. Changing the value of the "sub"
 claim to anything other than the unique identifier of the
 keycloak user causes the keycloak adapter to detect the
 changes to the session and clear out the tokens, forcing the
 users to re-log in after every 5 seconds. 
  
 We are using the version 2.3.0 of
 keycloak. Our app is set up to use keycloak.js adapter for
 all things related to OIDC. The adapter is configured to use
 the "code authorization" (standard) flow. The instance of
 keycloak is configured to use an external OIDC identity
 provider and the users are uniquely identified by their
 e-mails. Naturally, we wanted that the "sub" claim in the
 claim set returned by calling the keycloak's OIDC /token
 endpoint would return the unique identity of the external
 user rather than the internal identifier of the keycloak
 user, so we re-configured the keycloak client by adding a
 property mapper to map the user's email to the "sub" claim,
 here the example of the access token: 
 {
    "sub": "user at company.com",
    "iat": 223235098325,
    "email": "user at company.com",
    ...
 } 
 
 Once we had implemented these changes
 on the keycloak side, our users were able to initially sign
 into the application, but when they tried to access any
 functionality within the app, they would be prompted to sign
 in again. The problem seems to related to the OIDC session
 management and the assumption and the "sub" claim always
 matches the keycloak user's unique identifier. 
 
 We narrowed the problem down to four
 components:
 
 - keycloak.js
 - login-status-iframe.html
 -
 services\srv\main\java\org\keycloak\protocol\oidc\endpoints\LoginStatusIframeEndpoint.java
 -
 services\src\main\java\org\keycloak\services\managers\AuthenticationManager.java
  
 In keycloak.js, line 637, the
 implementation creates a session id to be used to check the
 session state. Notice that the code uses the value from the
 "sub" claim: 
    var sessionId = kc.realm + "/"
 + kc.tokenParsed.sub;
   
 In
 AuthenticationManager.createLoginCookie, line 306, the value
 of the "SESSION_COOKIE" is set to:
 
   String sessionCookieValue =
 realm.getName() + "/" + user.getId();
 
 Sadly, in our configuration, the value
 returned of by user.getId() is not the same as the value
 stored in the "sub" claim, thus causing the session
 management code in login-status-iframe.html, line 53 to
 clear out any tokens and force the users to re-login the
 next time it checks the session state (default is 5 second
 intervals):
 
   var cookie = getCookie();
   if (sessionState == cookie) {
 ... } else { callback("changed"); }  
 
  
 Looking at the
 LoginStatusIframeEndpoint.preCheck
 (LoginSatusIframeEndpoint.java, lines 71-93), we've noticed
 that the implementation does not even make use of the user
 identity, only the session id.
 
 The workaround, at least temporary, for
 us was to add the "id" claim containing the user identity
 internal to keycloak, and modify the keycloak JS adapter
 code to look for the "id" claim and use its value instead of
 the value in the "sub" claim when creating the session id,
 i.e.:
 
   
    var sessionId;
    if (kc.tokenParsed.id) {
       sessionId =
 kc.realm + "/" + kc.tokenParsed.id;
    } else {
       sessionId =
 kc.realm + "/" + kc.tokenParsed.sub;
    }
 
 Is this a bug, or does it work as
 intended, i.e. the users should never set the "sub" claim to
 anything other than the keycloak's user identity? If this is
 a bug, I can submit a JIRA request and a fix as long as the
 workaround above seems like an acceptable solution
 
 Any comments are welcome
 Regards,
 Peter
 



More information about the keycloak-user mailing list