<div dir="ltr">I'm afraid it's not possible at the moment. The only option now is to have two different clients and either split your application into two, or you can use the KeycloakConfigResolver to select the client based on the content type yourself. See the multi tenancy example for an idea on how to use it.</div><div class="gmail_extra"><br><div class="gmail_quote">On 2 October 2015 at 18:24, Tair Sabirgaliev <span dir="ltr"><<a href="mailto:tair.sabirgaliev@bee.kz" target="_blank">tair.sabirgaliev@bee.kz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
Hi,<br>
<br>
Yes, it can be done with nginx, but I still hope this could be accomplished natively :)<br>
<br>
The general idea is this: <br>
<br>
a) if browser asks for "text/html" => act as confidential/public client, that is <br>
start keycloak login protocol<br>
<br>
b) if browser asks for "application/json” => act as bearer only client, and in<br>
case of authorization error, respond with proper 40x status<br>
<br>
This would let me build an ‘isomorphic’ JavaScript application (<a href="http://isomorphic.net" rel="noreferrer" target="_blank">http://isomorphic.net</a>)<br>
<br>
With keycloak-1.5.0 I see that there is no difference whether I accept text/html or application/json:<br>
<br>
tair$ curl -v -H 'Accept: text/html' <a href="http://localhost:9080/hello-world/rest/something" rel="noreferrer" target="_blank">http://localhost:9080/hello-world/rest/something</a><br>
* Trying ::1...<br>
* connect to ::1 port 9080 failed: Connection refused<br>
* Trying 127.0.0.1...<br>
* Connected to localhost (127.0.0.1) port 9080 (#0)<br>
> GET /hello-world/rest/something HTTP/1.1<br>
> Host: localhost:9080<br>
> User-Agent: curl/7.43.0<br>
> Accept: text/html<br>
><br>
< HTTP/1.1 302 Found<br>
< Expires: 0<br>
< Cache-Control: no-cache, no-store, must-revalidate<br>
< X-Powered-By: Undertow/1<br>
< Set-Cookie: OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666<br>
< Server: WildFly/9<br>
< Pragma: no-cache<br>
< Location: <a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true" rel="noreferrer" target="_blank">http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true</a><br>
< Date: Fri, 02 Oct 2015 15:53:32 GMT<br>
< Connection: keep-alive<br>
< Content-Length: 0<br>
<<br>
* Connection #0 to host localhost left intact<br>
<br>
tair$ curl -v -H 'Accept: application/json' <a href="http://localhost:9080/hello-world/rest/something" rel="noreferrer" target="_blank">http://localhost:9080/hello-world/rest/something</a><br>
* Trying 127.0.0.1...<br>
* Connected to localhost (127.0.0.1) port 9080 (#0)<br>
> GET /hello-world/rest/something HTTP/1.1<br>
> Host: localhost:9080<br>
> User-Agent: curl/7.43.0<br>
> Accept: application/json<br>
><br>
< HTTP/1.1 302 Found<br>
< Expires: 0<br>
< Cache-Control: no-cache, no-store, must-revalidate<br>
< X-Powered-By: Undertow/1<br>
< Set-Cookie: OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65<br>
< Server: WildFly/9<br>
< Pragma: no-cache<br>
< Location: <a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true" rel="noreferrer" target="_blank">http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true</a><br>
< Date: Fri, 02 Oct 2015 15:53:41 GMT<br>
< Connection: keep-alive<br>
< Content-Length: 0<br>
<<br>
* Connection #0 to host localhost left intact<br>
<br>
Any workarounds there?<br>
<span class=""><br>
--<br>
Tair Sabirgaliev<br>
Bee Software, LLP<br>
<br>
<br>
<br>
</span><span class="">On October 2, 2015 at 20:54:01, Giriraj Sharma (<a href="mailto:giriraj.sharma27@gmail.com">giriraj.sharma27@gmail.com</a>(mailto:<a href="mailto:giriraj.sharma27@gmail.com">giriraj.sharma27@gmail.com</a>)) wrote:<br>
<br>
> Hi,<br>
><br>
> One possible way is to put nginx as a reverse proxy in between browser and Keycloak server instance. You can dig around using $content_type embedded variable of nginx ngx_http_core_module or may be nginx_rewrite module and a simple tweak (may be an if statement in nginx server/location block config) will help you in achieving the required. Based on the value of content-type header, you can proxy-pass the requests to a different upstream server via nginx.<br>
><br>
> Cheers,<br>
><br>
><br>
</span><span class="">> On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:<br>
> ><br>
> > Hi,<br>
> ><br>
> > Is it possible to setup login redirection only for certain content types?<br>
> > I want to redirect only when the browser asks for text/html. For other types<br>
> > either 40x or Authorization challenge.<br>
> ><br>
> > --<br>
> > Tair Sabirgaliev<br>
> > Bee Software, LLP<br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > keycloak-user mailing list<br>
</span>> > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>(mailto:<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>)<br>
<span class="im HOEnZb">> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
><br>
> --<br>
><br>
> Giriraj Sharma<br>
> <a href="http://about.me/girirajsharma" rel="noreferrer" target="_blank">about.me/girirajsharma</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
</span><span class="im HOEnZb">> Giriraj Sharma,<br>
> Department of Computer Science<br>
> National Institute of Technology Hamirpur<br>
> Himachal Pradesh, India 177005<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div></div></blockquote></div><br></div>