[keycloak-user] OIDC and XFO

Felipe Braun Azambuja felipe.braun at intelbras.com.br
Thu Jan 18 08:21:29 EST 2018 

Hey guys,

I've been struggling with OIDC and XFO, and I could use some help from
you all.

My deployment is like this:

Vue.js app (nginx):80 (app.public.domain)
|
|
\-> reverse proxy (nginx):443 ---> keycloak:8080
       (sso.public.domain)          (sso.internal)

The app doesn't work due to XFO trying to open login-status-iframe.html.
If I make the app go straight to KC in :8080, it works as it should
(strangely enough, because KC isn't sending XFO header.

I have XFO set on the reverse proxy, with SAMEORIGIN, tried to change to
ALLOW-FROM, tried to add XFO to the app's nginx, and all I get is the
same thing. The browser gets redirected to KC login page, I get
authenticated, but the app doesn't work.

*Where* and *how* should the header be set?

This setup with nginx works great in SAML, and since we do not have
enough IPv4, I can't expose it directly.

Keycloak was upgraded to 3.4.3.Final prior to this app being deployed.


Thanks!
--
Felipe Braun Azambuja
DBA
Tecnologia da Informação e Comunicação
(48) 3281 9577
felipe.braun at intelbras.com.br
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.

The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.

More information about the keycloak-user mailing list