[keycloak-user] Fwd: Error when session expired and ajax request execute in Keycloak?

Adam Daduev daduev.ad at gmail.com
Thu Jun 22 02:04:19 EDT 2017


Hi Seb,
Is there progress in this issue, in which release will be fixed this bug?
Thanks.

чт, 13 апр. 2017 г. в 19:43, Adam Daduev <daduev.ad at gmail.com>:

> Hi Seb,
>
> For all i do not say, but i would wanted. About specs, i do not know. I
> use Keycloak in my application, and i can not to report user when session
> is expired. I do not know whether i said, but when occur redirect request,
> not ajax request, i catched error with jsf exception handler (there is in
> my example CommonExceptionHandler), and to report users, i want that same
> occurred with my ajax request. It is occur not only in Richfaces, but in
> Primefaces, i think it it happens with all jsf ajax request.
> And one more, i observed that keycloak session expire early than i setup
> in the keycloak admin console, and in keycloak log i have warning, error
> refresh token. Maybe these problems are bind, i do not know.
> I have one little question, can i disable refresh token, use Implicit
> Flow, when i disabled Authorization Code Flow, nothing works?
>
> Thank you.
>
> ср, 12 апр. 2017 г. в 15:47, Sebastien Blanc <sblanc at redhat.com>:
>
>> Hi Adam,
>>
>> I started today to look at your ticket. First of all, thank you for the
>> provided example, it makes it really easier to reproduce.
>>
>> So Stian is right, it's expecting a token which isn't present and
>> therefore returning a 401.
>> Stian suggested that we should maybe support ajax request secured with
>> the session (to support Richfaces ajax requests).
>>
>> I would like to have the opinion of everyone here, is that something we
>> want ? Doesn't we break any specs here (I have no idea just asking) ?
>>
>> Anyway I will start looking how this change could be implemented.
>>
>> Seb
>>
>>
>> On Fri, Jan 13, 2017 at 9:53 AM, Adam Daduev <daduev.ad at gmail.com> wrote:
>>
>>> I created JIRA bug, and add simple example.
>>> https://issues.jboss.org/browse/KEYCLOAK-4214
>>>
>>>
>>> пт, 13 янв. 2017 г. в 9:34, Stian Thorgersen <sthorger at redhat.com>:
>>>
>>> > Might be that it's expecting a token in the ajax request rather than
>>> > checking for a session, not 100% sure though. RichFaces won't work
>>> unless
>>> > we can support securing the requests from the session.
>>> >
>>> > Can you create a JIRA bug for this please? If you can attach a simple
>>> > example we can build and deploy to reproduce the issue that would be
>>> > extremely helpful and we would be able to look at it sooner.
>>> >
>>> > On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:
>>> >
>>> > After login, i get in my app, and for all my ajax request from page to
>>> > backing bean, i receive response 401 even if the session is still
>>> alive.
>>> > If removed autodetect-bearer-only option, all work fine, but going
>>> back to
>>> > the old error.
>>> >
>>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>>> > realms/azovstal/protocol/openid-connect/auth?…ml&state=
>>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>>> > 'Access-Control-Allow-Origin' header is present on the requested
>>> resource.
>>> > Origin 'http://localhost:8080' is therefore not allowed access.
>>> >
>>> > ---------- Forwarded message ---------
>>> > From: Adam Daduev <daduev.ad at gmail.com>
>>> > Date: вт, 10 янв. 2017 г. в 14:08
>>> > Subject: Re: [keycloak-user] Error when session expired and ajax
>>> request
>>> > execute in Keycloak?
>>> > To: <stian at redhat.com>
>>> >
>>> >
>>> > I tried, but does not work.
>>> > Firstly, i add autodetect-bearer-only option via adapter subsystem,
>>> wildfly
>>> > not started, he not know autodetect-bearer-only option, then, i added
>>> via
>>> > json, wildfly started and app was deployed.
>>> > Secondly, on my ajax request to backing bean, i receive response 401
>>> and
>>> > does not happend.
>>> > This is my keycloak.json
>>> > {
>>> > "realm": "azovstal",
>>> > "auth-server-url": "http://dc09-apps-06:8090/auth",
>>> > "ssl-required": "none",
>>> > "resource": "web-test",
>>> > "public-client": true,
>>> > "use-resource-role-mappings": true,
>>> > "autodetect-bearer-only": true
>>> > }
>>> >
>>> > вт, 10 янв. 2017 г. в 10:19, <daduev.ad at gmail.com>:
>>> >
>>> > Ok, I try, thanks.
>>> >
>>> > 10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger at redhat.com>
>>> > написал(а):
>>> >
>>> > In that case take a look at the new autodetect-bearer-only option.
>>> You'll
>>> > need 2.5.0.Final for that.
>>> >
>>> > On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
>>> >
>>> > No, I have jsf 2 app with richfaces framework, which deploy on wildfly
>>> > 10.1.
>>> >
>>> > 9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger at redhat.com>
>>> > написал(а):
>>> >
>>> > [Adding list back]
>>> >
>>> > A web app redirects the user to a login page if not authenticated,
>>> while a
>>> > service should return a 401.
>>> >
>>> > It sounds like what you have is a JS application with a service
>>> backend. In
>>> > Keycloak you should have two separate types of clients for that. The JS
>>> > application should be a public client, while the services a bearer-only
>>> > client.
>>> >
>>> > On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
>>> >
>>> > Thanks for the answer.
>>> > Yes i have confidential client, i have web application, that asks
>>> > Keycloak server
>>> > to authenticate a user for them. As I understand, bearer-only is for
>>> web
>>> > services clients.
>>> > I probably something do not understand?
>>> >
>>> > 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>>> >
>>> > Looks like your services are configured as confidential clients rather
>>> than
>>> > bearer-only and hence is sending a login request back rather than a
>>> 401.
>>> > You should either swap your service war to be a bearer-only client or
>>> use
>>> > the new autodetect-bearer-only option in adapters if you have both web
>>> > pages and services in the same war.
>>> >
>>> > On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
>>> >
>>> > Hi, can you help me!
>>> > When session expired and ajax request execute in Keycloak, i have
>>> error in
>>> > browser console:
>>> >
>>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>>> > realms/azovstal/protocol/openid-connect/auth?…ml&state=
>>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>>> > 'Access-Control-Allow-Origin' header is present on the requested
>>> resource.
>>> > Origin 'http://localhost:8080' is therefore not allowed access.
>>> >
>>> > I add in Keycloak admin console, in the client setting, Web Origins=
>>> > http://localhost:8080 (or *), and enabled cors in app, but still has
>>> error
>>> > in console. I used Keycloak 2.5.0
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>


More information about the keycloak-user mailing list