<div dir="ltr"><div><div><div><div><div><div><div>Thanks a million Marek for setting us in the right direction.<br><br>"...application is able to access the javascript state from embedded
IE"- this is not possible currently, hence 1st solution wont work.<br><br></div>We will follow the 2nd way to do this. <br></div></div><br>So using "<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html">direct access grant</a>" i get the required JSON token data as mentioned.<br></div>Then I pass this data to the jsp page (embedded in IE), using URL params.<br></div>The JSP page pulls out the required data from the URL params, and then inits keycloak.js.<br></div>in keycloak init function i pass the token, idToken and refreshToken values.<br></div><div><br></div><div>Hopefully this works, trying it now!<br><br></div><div>Thanks a lot again for the pointers.<br><br></div><div>Subhro.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Do you have the "control" under the
application? Is it possible to propagate security contexts from
application to embedded IE or viceversa?<br>
<br>
In theory what can work is either:<br>
- You will skip step1 and don't popup username/password box.
Instead you will just authenticate in step2 inside IE and then
propagate the context ( token ) to step1. This is possible just if
application is able to access the javascript state from embedded
IE.<br>
<br>
- If you can propagate just from desktop to IE, then in step1 you
wwill configure your application to send the request for
username/password authentication to Keycloak via direct access
grant (instead of sending username+password directly to AD/LDAP).
Once you receive token from direct access grant, you can use it
inside IE in step2 ( keycloak.js has possibility to be initialized
with token. You just need to pass the token and refreshToken as
arguments to keycloak.init . Then keycloak.js won't redirect you
to login screen )<br>
<br>
Marek<div><div class="h5"><br>
<br>
On 06/04/16 11:24, Subhrajyoti Moitra wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div dir="ltr">
<div>
<div>
<div>Hello Team, <br>
<br>
I have a standalone windows desktop application, that
authenticates against an AD/LDAP server. The application
popups a username/password box, and submits it to the LDAP
for authentication.<br>
The same AD/LDAP server is also synced with a Keycloak
installation.<br>
<br>
The windows application embeds the IE browser control and
shows a jsp page.<br>
This jsp page is protected using keycloak js adapter.
Obviously the user is re-directed to the keycloak login
page. So the user has to login twice, once using the
application popup and other in the embedded jsp, after
getting redirected to the keycloak login page.<br>
<br>
I dont want to re-prompt the user for relogin, since he
has already authenticated against the AD server.<br>
Is there a way to not re-prompt the user, when the
embedded IE requests the secure JSP?<br>
<br>
</div>
Please help, as we are not able to come up with a solution
for the same.<br>
</div>
<div>Any pointers how we can avoid the 2nd authentication.<br>
</div>
<div><br>
</div>
Thanks,<br>
</div>
Subhro.<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>