<div dir="ltr"><div><div><div><div>It worked .. It Worked...!!!! awesome.. <br><br></div>Thanks a lot Marek and Stian for your patience and time.<br></div>Really appreciate your help in fixing this issue.<br><br></div>Thanks and regards,<br></div>Subhro.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 7, 2016 at 3:23 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Ah, it's maybe login iframe which is
causing issues for you. Given the nature of your app and the fact
that you're not using SSO anyway in embedded IE, I suggest to
disable login iframe by add this option to your "kcInitObj" too:<br>
<br>
<a><code>checkLoginIframe: false<br>
<br>
<br>
Besides that, it seems that we have a minor bug in keycloak.js
that callbacks are not called when you provide "tokens", but
not "onLoad" and IFrame is not working. Created JIRA :
https://issues.jboss.org/browse/KEYCLOAK-2765<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek<br>
<br>
</font></span></code></a><div><div class="h5">On 07/04/16 11:22, Subhrajyoti Moitra wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Hello Marek,<br>
</div>
<br>
I actually hadnt shown the starting script tag in the code
snippet above. :)<br>
<br>
</div>
I checked using a debugger that the kcInitObj values are going
into the init method correctly.<br>
Do I have to call some other function after init call?<br>
</div>
<div>Somehow, when I skip the onLoad option, success/error
methods are never called.<br>
</div>
<div>I notice that call to this url is being made and nothing
after that, <br>
<br>
<a href="http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080" target="_blank">http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080</a><br>
<br>
</div>
<div>Does version of KC matter, I am using 1.5.1.Final?<br>
<br>
</div>
<div>I am attaching the index.jsp for reference, since this is
the file I am experimenting with.<br>
</div>
<div>This is just an example to check if things are working or
not.<br>
</div>
<div><br>
</div>
<div>Thanks a lot for taking time to look into this. Really
appreciate it.<br>
<br>
</div>
<div>Thanks,<br>
</div>
<div>Subhro.<br>
</div>
<div><br>
<br>
</div>
<div>
<div><br>
<br>
<br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr 7, 2016 at 1:36 PM, Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>I think that you don't need to use "onLoad" option at
all because you passed tokens. So you can just use
something like:<br>
<br>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>={
<span><span style="color:rgb(102,14,122);font-weight:bold">token</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">token</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">refreshToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">refreshToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">idToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">idToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'
</span>};</span></pre>
<br>
Besides that, I can see that you added tag
"<script>" after the kcInitObj is initialized.
Unless I am missing something (previous snippet of your
page etc), you will need to first add tag
"<script>" and then initialize kcInitObj inside
that as it's javascript object.<br>
<br>
If you have some javascript debugger (for example
Firebug on FF) you can add breakpoint before
keycloak.init call and check that "kcInitOptions" look
as expected and really contain the 3 tokens you passed
above.<span><font color="#888888"><br>
<br>
Marek</font></span>
<div>
<div><br>
<br>
On 07/04/16 08:19, Subhrajyoti Moitra wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hello Stian and Marek,<br>
<br>
</div>
Thanks for the clarification.<br>
</div>
I am not sure what u mean by "invoke
that yourself and initialize keycloak.js
with the tokens afterwards". U mean in
the new KeyCloak(...) constructor I pass
the tokens and other values?<br>
<br>
" authenticate with both LDAP and
Keycloak in the first place...."<br>
</div>
<br>
- The desktop windows application is a old
legacy application(custom dialer) used to
connect to Aspect Telephony server. This
Aspect server requires the AD login so
that agents using this dialer is connected
to Aspect. So I dont know how I can avoid
this.<br>
</div>
- There is no way to pass the username/pass
from the embedded KC page to the "parent"
windows application. Not sure if some
workaround is possible in the local
application or not.<br>
<br>
</div>
Please help.<br>
<br>
</div>
Thanks,<br>
</div>
Subhro.<br>
<div>
<div>
<div><br>
<br>
<div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr 7, 2016 at
11:18 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank"></a><a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">keycloak.js doesn't support
direct grant and we won't add it. You'd have
to invoke that yourself and initialize
keycloak.js with the tokens afterwards.
<div><br>
</div>
<div>Why do you need to authenticate with
both LDAP and Keycloak in the first place?
In either case I'd say a better way would
be to use what Marek suggests as option 2.
User can enter username/password in
embedded Keycloak login page instead of
popup box. Using the embedded login page
has a number of benefits over direct
grant. For example required actions,
recover password support, etc, etc..</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 7 April 2016
at 07:07, Subhrajyoti Moitra <span dir="ltr"><<a href="mailto:subhrajyotim@gmail.com" target="_blank"></a><a href="mailto:subhrajyotim@gmail.com" target="_blank">subhrajyotim@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hello Marek,<br>
<br>
</div>
What is the value of
onLoad during
keycloak init()
function?<br>
</div>
I tried both check-sso
and login-required,
but it still is
showing the kc login
page.<br>
<br>
</div>
Heres what I did.<br>
</div>
Using java code I get a
direct access grant
tokens. I get response
from this code as
something below.<br>
<br>
{"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}<br>
<br>
</div>
Then I am hitting the jsp
page. <a href="http://localhost:8080/myapp/index.jsp?tokenJson=" target="_blank"></a><a href="http://localhost:8080/myapp/index.jsp?tokenJson=" target="_blank">http://localhost:8080/myapp/index.jsp?tokenJson=</a><theabovejsonstring-cut-and-pasted><br>
<br>
</div>
In index.jsp I extract the
tokenJson param and parse the
json to further extract the
accessToken, idToken and
refreshToken.<br>
<br>
</div>
A code snippet in index.jsp,
like the below generates the
keycloak init obj.<br>
<br>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%
</span>
<span style="background-color:rgb(247,250,255)">String iaJsonStr =request.getParameter(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"tokenJson"</span><span style="background-color:rgb(247,250,255)">);//get the token json from url
</span><span style="background-color:rgb(247,250,255)">String token=</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">""</span><span style="background-color:rgb(247,250,255)">,idToken=</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">""</span><span style="background-color:rgb(247,250,255)">,refreshToken=</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">""</span><span style="background-color:rgb(247,250,255)">;//init the values
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">if</span><span style="background-color:rgb(247,250,255)">(!StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(iaJsonStr)){
</span><span style="background-color:rgb(247,250,255)"> JsonObject iaJsonObj = Json.</span><span style="background-color:rgb(247,250,255);font-style:italic">createReader</span><span style="background-color:rgb(247,250,255)">(</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">new </span><span style="background-color:rgb(247,250,255)">StringReader(iaJsonStr)).readObject();
</span><span style="background-color:rgb(247,250,255)"> token=iaJsonObj.getString(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"access_token"</span><span style="background-color:rgb(247,250,255)">);//extract access
</span><span style="background-color:rgb(247,250,255)"> refreshToken=iaJsonObj.getString(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"refresh_token"</span><span style="background-color:rgb(247,250,255)">);//extract refresh
</span><span style="background-color:rgb(247,250,255)"> idToken=iaJsonObj.getString(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"id_token"</span><span style="background-color:rgb(247,250,255)">);//extract id
</span><span style="background-color:rgb(247,250,255)">}</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">
if</span><span style="background-color:rgb(247,250,255)">(!StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(token) && !StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(refreshToken) && !StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(idToken)){
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,0,128);font-weight:bold">
</span><span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>={
<span style="color:rgb(102,14,122);font-weight:bold">onLoad</span>:<span style="color:rgb(0,128,0);font-weight:bold">'check-sso'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">token</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">token</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">refreshToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">refreshToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">idToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">idToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'
</span>};
<span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%
</span><span style="background-color:rgb(247,250,255)">}</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">else</span><span style="background-color:rgb(247,250,255)">{
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,0,128);font-weight:bold">
</span><span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>={
<span style="color:rgb(102,14,122);font-weight:bold">onLoad</span>:<span style="color:rgb(0,128,0);font-weight:bold">'check-sso'
</span>};
<span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%
</span><span style="background-color:rgb(247,250,255)">}
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span></pre>
.......<br>
.....<br>
</div>
<div>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="background-color:rgb(239,239,239)"><</span><span style="color:rgb(0,0,128);background-color:rgb(239,239,239);font-weight:bold">script</span><span style="background-color:rgb(239,239,239)">></span>
<span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">keycloak </span>= Keycloak(<span style="color:rgb(0,128,0);font-weight:bold">'/myapp/keycloak-dev</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"></span><span style="color:rgb(0,128,0);font-weight:bold">.json'</span>);
<span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">keycloak</span>.<span style="color:rgb(122,122,67)">init</span>(<span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>).<span style="color:rgb(122,122,67)">success(</span><span style="color:rgb(122,122,67)"><span style="color:rgb(0,0,128);font-weight:bold">function</span>(authenticated) {
<span style="color:rgb(0,0,128);font-weight:bold">if</span>(!authenticated){
<span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">keycloak</span>.login();
}<span style="color:rgb(0,0,128);font-weight:bold">else</span>{
</span></pre>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(122,122,67)"> //call loadProfile and get the user details.
</span></pre>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(122,122,67)"> ).error(....)
</span></pre>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="background-color:rgb(239,239,239)"></</span><span style="color:rgb(0,0,128);background-color:rgb(239,239,239);font-weight:bold">script</span><span style="background-color:rgb(239,239,239)">></span>
</pre>
<br>
</div>
<div>This is still redirecting me
to the login page. Do I have to
do something in the client
setup? <br>
<br>
</div>
<div>So close,, yet so far...
Please help.. <br>
<br>
</div>
<div>Thanks and lot for your
attention.<br>
</div>
<div>Subhro.<br>
</div>
<div>
<div>
<div>
<div><br>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Thu, Apr 7, 2016 at 8:35 AM,
Subhrajyoti Moitra <span dir="ltr"><<a href="mailto:subhrajyotim@gmail.com" target="_blank"></a><a href="mailto:subhrajyotim@gmail.com" target="_blank">subhrajyotim@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>Thanks a
million Marek
for setting us
in the right
direction.<br>
<br>
"...application
is able to
access the
javascript
state from
embedded IE"-
this is not
possible
currently,
hence 1st
solution wont
work.<br>
<br>
</div>
We will follow
the 2nd way to
do this. <br>
</div>
</div>
<br>
So using "<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html" target="_blank">direct access grant</a>" i get the required JSON token
data as
mentioned.<br>
</div>
Then I pass this
data to the jsp
page (embedded in
IE), using URL
params.<br>
</div>
The JSP page pulls
out the required
data from the URL
params, and then
inits keycloak.js.<br>
</div>
in keycloak init
function i pass the
token, idToken and
refreshToken values.<br>
</div>
<div><br>
</div>
<div>Hopefully this
works, trying it now!<br>
<br>
</div>
<div>Thanks a lot again
for the pointers.<br>
<br>
</div>
<div>Subhro.<br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Thu, Apr 7, 2016
at 2:33 AM, Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank"></a><a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Do you
have the
"control"
under the
application?
Is it possible
to propagate
security
contexts from
application to
embedded IE or
viceversa?<br>
<br>
In theory what
can work is
either:<br>
- You will
skip step1 and
don't popup
username/password
box. Instead
you will just
authenticate
in step2
inside IE and
then propagate
the context (
token ) to
step1. This is
possible just
if application
is able to
access the
javascript
state from
embedded IE.<br>
<br>
- If you can
propagate just
from desktop
to IE, then in
step1 you
wwill
configure your
application to
send the
request for
username/password
authentication
to Keycloak
via direct
access grant
(instead of
sending
username+password
directly to
AD/LDAP). Once
you receive
token from
direct access
grant, you can
use it inside
IE in step2 (
keycloak.js
has
possibility to
be initialized
with token.
You just need
to pass the
token and
refreshToken
as arguments
to
keycloak.init
. Then
keycloak.js
won't redirect
you to login
screen )<br>
<br>
Marek
<div>
<div><br>
<br>
On 06/04/16
11:24,
Subhrajyoti
Moitra wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>Hello
Team, <br>
<br>
I have a
standalone
windows
desktop
application,
that
authenticates
against an
AD/LDAP
server. The
application
popups a
username/password
box, and
submits it to
the LDAP for
authentication.<br>
The same
AD/LDAP server
is also synced
with a
Keycloak
installation.<br>
<br>
The windows
application
embeds the IE
browser
control and
shows a jsp
page.<br>
This jsp page
is protected
using keycloak
js adapter.
Obviously the
user is
re-directed to
the keycloak
login page. So
the user has
to login
twice, once
using the
application
popup and
other in the
embedded jsp,
after getting
redirected to
the keycloak
login page.<br>
<br>
I dont want to
re-prompt the
user for
relogin, since
he has already
authenticated
against the AD
server.<br>
Is there a way
to not
re-prompt the
user, when the
embedded IE
requests the
secure JSP?<br>
<br>
</div>
Please help,
as we are not
able to come
up with a
solution for
the same.<br>
</div>
<div>Any
pointers how
we can avoid
the 2nd
authentication.<br>
</div>
<div><br>
</div>
Thanks,<br>
</div>
Subhro.<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>