[keycloak-user] Keycloak non-interactive SAML login

Wed Jan 23 18:08:06 EST 2019

Tom, you're welcome,

I'd also recommend to use axios-keycloak [1] since it handles token
refresh automatically. I only had to do a "npm run build" on it, since
there's some webpack-related issue with their dist build. Or you can
simply copy their index.js to your project under a different name and 
import AxiosKeycloak from it.

[1] https://github.com/herrmannplatz/axios-keycloak

Good luck!
Dmitry

On Wed, 2019-01-23 at 14:52 -0800, Tom Barber wrote:
> Thanks Dmitry
> 
> Ironically we started down the hidden iframe route last week and felt there must be a better solution! Clearly not, so we’ll head back down that avenue.
> 
> Thanks for your help.
> 
> Tom
> 
> 
> > On 23 January 2019 at 22:29:14, Dmitry Telegin (dt at acutus.pro) wrote:
> > Hi, 
> > 
> > This message in the logs can be misleading since it reports the 
> > delivery of SAMLAuthnRequest only. The successful completion of SAML 
> > transaction would have been signaled by SAMLResponse (had it been 
> > received). 
> > 
> > I'm afraid SAML HTTP Redirect binding won't help either, since it's not 
> > allowed by Spring Security SAML [1] (which is in full accordance with 
> > the standard). 
> > 
> > I guess you're trying to fetch some data from your legacy app via XHR, 
> > and receive Keycloak-generated POST binding in response. I suggest that 
> > you implement a silent refresh pattern [2], similarly to what Scott has 
> > done for OIDC implicit flow. In a few words, you should create a hidden 
> > iframe with your SAML app, which, upon loading, will process POST 
> > binding and set up a valid session. After that, you should be able to 
> > perform requests to your legacy app normally. The iframe will also need 
> > to be reloaded periodically to mitigate session expiry. 
> > 
> > OIDC to SAML token exchange would have allowed for a more 
> > straightforward solution, but unfortunately is not supported in 
> > Keycloak at the moment. 
> > 
> > [1] https://stackoverflow.com/questions/29889644/metadatagenerator-of-spring-security-saml-doesnt-support-redirect-binding-for-a 
> > [2] https://www.scottbrady91.com/OpenID-Connect/Silent-Refresh-Refreshing-Access-Tokens-when-using-the-Implicit-Flow 
> > 
> > Good luck, 
> > Dmitry Telegin 
> > CTO, Acutus s.r.o. 
> > Keycloak Consulting and Training 
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic 
> > +42 (022) 888-30-71 
> > > > E-mail: info at acutus.pro 
> > 
> > On Wed, 2019-01-23 at 12:56 -0800, Tom Barber wrote: 
> > > Also whats stupid about it is in the Java logs I see 
> > > 
> > > 20:55:43,894 INFO  [SAMLDefaultLogger] 
> > > AuthNRequest;SUCCESS;86.162.163.65;client; 
> > > > > https://auth.domain.co.uk/auth/realms/ies;;; 
> > > 
> > > So I can even see it working! =/ 
> > > 
> > > > > > On 23 January 2019 at 20:13:13, Tom Barber (tom at spicule.co.uk) wrote: 
> > > 
> > > Hey Dmitry 
> > > 
> > > I turned that setting off earlier today with no obvious change in outcome. 
> > > 
> > > Thanks 
> > > 
> > > Tom 
> > > 
> > > 
> > > > > > On 23 January 2019 at 18:35:28, Dmitry Telegin (dt at acutus.pro) wrote: 
> > > 
> > > Hello Tom, 
> > > 
> > > Please go to client config in the Keycloak Admin Console and turn off 
> > > "Force POST Binding". Does it make any difference? 
> > > 
> > > Cheers, 
> > > Dmitry Telegin 
> > > CTO, Acutus s.r.o. 
> > > Keycloak Consulting and Training 
> > > 
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic 
> > > +42 (022) 888-30-71 
> > > > > E-mail: info at acutus.pro 
> > > 
> > > On Wed, 2019-01-23 at 09:56 -0800, Tom Barber wrote: 
> > > > Hi folks, 
> > > > 
> > > > I have 2 apps, the UI which is authenticated using the Keycloak NodeJS 
> > > 
> > > OIDC 
> > > > connector and provides a user UI login. This works fine. 
> > > > 
> > > > Then I have a Java based app that is legacy and uses the Spring SAML 
> > > > connector and when you go to its UI Keycloak also logs you in fine, but 
> > > > we’re trying to connect to its API without a user having to manually open 
> > > > its landing page to login. 
> > > > 
> > > > When you try and use a service on the Java app having authenticated on the 
> > > > client app you get: 
> > > > 
> > > > Note: Since your browser does not support JavaScript, you must press the 
> > > > Continue button once to proceed. 
> > > > 
> > > > 
> > > > In the javascript console. Both these apps are in the same realm. Is there 
> > > > anything I’m missing on the Keycloak side I can do to resolve this issue 
> > > 
> > > or 
> > > > do I have to find the Java code and jump in with two feet there? 
> > > > 
> > > > Thanks 
> > > > 
> > > > Tom 
> > > > 
> > > 
> > > 
>  
> Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891.
> 
> All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email.