<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I think that you don't need to use
"onLoad" option at all because you passed tokens. So you can just
use something like:<br>
<br>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>={
<span style="color:rgb(102,14,122);font-weight:bold">token</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">token</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">refreshToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">refreshToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">idToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">idToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'
</span>};</pre>
<br>
Besides that, I can see that you added tag "<script>" after
the kcInitObj is initialized. Unless I am missing something
(previous snippet of your page etc), you will need to first add
tag "<script>" and then initialize kcInitObj inside that as
it's javascript object.<br>
<br>
If you have some javascript debugger (for example Firebug on FF)
you can add breakpoint before keycloak.init call and check that
"kcInitOptions" look as expected and really contain the 3 tokens
you passed above.<br>
<br>
Marek<br>
<br>
On 07/04/16 08:19, Subhrajyoti Moitra wrote:<br>
</div>
<blockquote
cite="mid:CAB6P+-EQ-z8BoRv-cyN=3C8Y8huB-rWR4KUPiPbP4hAAZZS+og@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hello Stian and Marek,<br>
<br>
</div>
Thanks for the clarification.<br>
</div>
I am not sure what u mean by "invoke that yourself and
initialize keycloak.js with the tokens afterwards". U
mean in the new KeyCloak(...) constructor I pass the
tokens and other values?<br>
<br>
" authenticate with both LDAP and Keycloak in the
first place...."<br>
</div>
<br>
- The desktop windows application is a old legacy
application(custom dialer) used to connect to Aspect
Telephony server. This Aspect server requires the AD
login so that agents using this dialer is connected to
Aspect. So I dont know how I can avoid this.<br>
</div>
- There is no way to pass the username/pass from the
embedded KC page to the "parent" windows application. Not
sure if some workaround is possible in the local
application or not.<br>
<br>
</div>
Please help.<br>
<br>
</div>
Thanks,<br>
</div>
Subhro.<br>
<div>
<div>
<div><br>
<br>
<div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr 7, 2016 at 11:18 AM, Stian
Thorgersen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">keycloak.js doesn't support direct grant and
we won't add it. You'd have to invoke that yourself and
initialize keycloak.js with the tokens afterwards.
<div><br>
</div>
<div>Why do you need to authenticate with both LDAP and
Keycloak in the first place? In either case I'd say a
better way would be to use what Marek suggests as option
2. User can enter username/password in embedded Keycloak
login page instead of popup box. Using the embedded
login page has a number of benefits over direct grant.
For example required actions, recover password support,
etc, etc..</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 7 April 2016 at 07:07,
Subhrajyoti Moitra <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:subhrajyotim@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:subhrajyotim@gmail.com">subhrajyotim@gmail.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hello Marek,<br>
<br>
</div>
What is the value of onLoad during
keycloak init() function?<br>
</div>
I tried both check-sso and
login-required, but it still is
showing the kc login page.<br>
<br>
</div>
Heres what I did.<br>
</div>
Using java code I get a direct access
grant tokens. I get response from this
code as something below.<br>
<br>
{"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}<br>
<br>
</div>
Then I am hitting the jsp page. <a
moz-do-not-send="true"
href="http://localhost:8080/myapp/index.jsp?tokenJson="
target="_blank"><a class="moz-txt-link-freetext" href="http://localhost:8080/myapp/index.jsp?tokenJson=">http://localhost:8080/myapp/index.jsp?tokenJson=</a></a><theabovejsonstring-cut-and-pasted><br>
<br>
</div>
In index.jsp I extract the tokenJson param
and parse the json to further extract the
accessToken, idToken and refreshToken.<br>
<br>
</div>
A code snippet in index.jsp, like the below
generates the keycloak init obj.<br>
<br>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%
</span>
<span style="background-color:rgb(247,250,255)">String iaJsonStr =request.getParameter(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"tokenJson"</span><span style="background-color:rgb(247,250,255)">);//get the token json from url
</span><span style="background-color:rgb(247,250,255)">String token=</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">""</span><span style="background-color:rgb(247,250,255)">,idToken=</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">""</span><span style="background-color:rgb(247,250,255)">,refreshToken=</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">""</span><span style="background-color:rgb(247,250,255)">;//init the values
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">if</span><span style="background-color:rgb(247,250,255)">(!StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(iaJsonStr)){
</span><span style="background-color:rgb(247,250,255)"> JsonObject iaJsonObj = Json.</span><span style="background-color:rgb(247,250,255);font-style:italic">createReader</span><span style="background-color:rgb(247,250,255)">(</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">new </span><span style="background-color:rgb(247,250,255)">StringReader(iaJsonStr)).readObject();
</span><span style="background-color:rgb(247,250,255)"> token=iaJsonObj.getString(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"access_token"</span><span style="background-color:rgb(247,250,255)">);//extract access
</span><span style="background-color:rgb(247,250,255)"> refreshToken=iaJsonObj.getString(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"refresh_token"</span><span style="background-color:rgb(247,250,255)">);//extract refresh
</span><span style="background-color:rgb(247,250,255)"> idToken=iaJsonObj.getString(</span><span style="color:rgb(0,128,0);background-color:rgb(247,250,255);font-weight:bold">"id_token"</span><span style="background-color:rgb(247,250,255)">);//extract id
</span><span style="background-color:rgb(247,250,255)">}</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">
if</span><span style="background-color:rgb(247,250,255)">(!StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(token) && !StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(refreshToken) && !StringUtils.</span><span style="background-color:rgb(247,250,255);font-style:italic">isEmpty</span><span style="background-color:rgb(247,250,255)">(idToken)){
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,0,128);font-weight:bold">
</span><span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>={
<span style="color:rgb(102,14,122);font-weight:bold">onLoad</span>:<span style="color:rgb(0,128,0);font-weight:bold">'check-sso'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">token</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">token</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">refreshToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">refreshToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'</span>,
<span style="color:rgb(102,14,122);font-weight:bold">idToken</span>:<span style="color:rgb(0,128,0);font-weight:bold">'</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%=</span><span style="background-color:rgb(247,250,255)">idToken</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,128,0);font-weight:bold">'
</span>};
<span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%
</span><span style="background-color:rgb(247,250,255)">}</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">else</span><span style="background-color:rgb(247,250,255)">{
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span><span style="color:rgb(0,0,128);font-weight:bold">
</span><span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>={
<span style="color:rgb(102,14,122);font-weight:bold">onLoad</span>:<span style="color:rgb(0,128,0);font-weight:bold">'check-sso'
</span>};
<span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"><%
</span><span style="background-color:rgb(247,250,255)">}
</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold">%></span></pre>
.......<br>
.....<br>
</div>
<div>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="background-color:rgb(239,239,239)"><</span><span style="color:rgb(0,0,128);background-color:rgb(239,239,239);font-weight:bold">script</span><span style="background-color:rgb(239,239,239)">></span>
<span style="color:rgb(0,0,128);font-weight:bold">var </span><span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">keycloak </span>= Keycloak(<span style="color:rgb(0,128,0);font-weight:bold">'/myapp/keycloak-dev</span><span style="color:rgb(0,0,128);background-color:rgb(247,250,255);font-weight:bold"></span><span style="color:rgb(0,128,0);font-weight:bold">.json'</span>);
<span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">keycloak</span>.<span style="color:rgb(122,122,67)">init</span>(<span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">kcInitObj</span>).<span style="color:rgb(122,122,67)">success(</span><span style="color:rgb(122,122,67)"><span style="color:rgb(0,0,128);font-weight:bold">function</span>(authenticated) {
<span style="color:rgb(0,0,128);font-weight:bold">if</span>(!authenticated){
<span style="color:rgb(102,14,122);font-weight:bold;font-style:italic">keycloak</span>.login();
}<span style="color:rgb(0,0,128);font-weight:bold">else</span>{
</span></pre>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(122,122,67)"> //call loadProfile and get the user details.
</span></pre>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="color:rgb(122,122,67)"> ).error(....)
</span></pre>
<pre style="background-color:rgb(255,255,255);color:rgb(0,0,0);font-family:"DejaVu Sans Mono";font-size:9pt"><span style="background-color:rgb(239,239,239)"></</span><span style="color:rgb(0,0,128);background-color:rgb(239,239,239);font-weight:bold">script</span><span style="background-color:rgb(239,239,239)">></span>
</pre>
<br>
</div>
<div>This is still redirecting me to the login
page. Do I have to do something in the client
setup? <br>
<br>
</div>
<div>So close,, yet so far... Please help.. <br>
<br>
</div>
<div>Thanks and lot for your attention.<br>
</div>
<div>Subhro.<br>
</div>
<div>
<div>
<div>
<div><br>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Apr 7, 2016
at 8:35 AM, Subhrajyoti Moitra <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:subhrajyotim@gmail.com"
target="_blank">subhrajyotim@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>Thanks a million
Marek for setting us in
the right direction.<br>
<br>
"...application is able
to access the javascript
state from embedded IE"-
this is not possible
currently, hence 1st
solution wont work.<br>
<br>
</div>
We will follow the 2nd way
to do this. <br>
</div>
</div>
<br>
So using "<a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html"
target="_blank">direct
access grant</a>" i get the
required JSON token data as
mentioned.<br>
</div>
Then I pass this data to the jsp
page (embedded in IE), using URL
params.<br>
</div>
The JSP page pulls out the
required data from the URL params,
and then inits keycloak.js.<br>
</div>
in keycloak init function i pass the
token, idToken and refreshToken
values.<br>
</div>
<div><br>
</div>
<div>Hopefully this works, trying it
now!<br>
<br>
</div>
<div>Thanks a lot again for the
pointers.<br>
<br>
</div>
<div>Subhro.<br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu,
Apr 7, 2016 at 2:33 AM, Marek
Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>Do you have the
"control" under the
application? Is it
possible to propagate
security contexts from
application to embedded IE
or viceversa?<br>
<br>
In theory what can work is
either:<br>
- You will skip step1 and
don't popup
username/password box.
Instead you will just
authenticate in step2
inside IE and then
propagate the context (
token ) to step1. This is
possible just if
application is able to
access the javascript
state from embedded IE.<br>
<br>
- If you can propagate
just from desktop to IE,
then in step1 you wwill
configure your application
to send the request for
username/password
authentication to Keycloak
via direct access grant
(instead of sending
username+password directly
to AD/LDAP). Once you
receive token from direct
access grant, you can use
it inside IE in step2 (
keycloak.js has
possibility to be
initialized with token.
You just need to pass the
token and refreshToken as
arguments to keycloak.init
. Then keycloak.js won't
redirect you to login
screen )<br>
<br>
Marek
<div>
<div><br>
<br>
On 06/04/16 11:24,
Subhrajyoti Moitra
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>Hello Team,
<br>
<br>
I have a
standalone
windows
desktop
application,
that
authenticates
against an
AD/LDAP
server. The
application
popups a
username/password
box, and
submits it to
the LDAP for
authentication.<br>
The same
AD/LDAP server
is also synced
with a
Keycloak
installation.<br>
<br>
The windows
application
embeds the IE
browser
control and
shows a jsp
page.<br>
This jsp page
is protected
using keycloak
js adapter.
Obviously the
user is
re-directed to
the keycloak
login page. So
the user has
to login
twice, once
using the
application
popup and
other in the
embedded jsp,
after getting
redirected to
the keycloak
login page.<br>
<br>
I dont want to
re-prompt the
user for
relogin, since
he has already
authenticated
against the AD
server.<br>
Is there a way
to not
re-prompt the
user, when the
embedded IE
requests the
secure JSP?<br>
<br>
</div>
Please help, as
we are not able
to come up with
a solution for
the same.<br>
</div>
<div>Any pointers
how we can avoid
the 2nd
authentication.<br>
</div>
<div><br>
</div>
Thanks,<br>
</div>
Subhro.<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org"
target="_blank">keycloak-user@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-user"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>