<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 22 June 2016 at 08:44, Chris Pitman <span dir="ltr"><<a href="mailto:cpitman@redhat.com" target="_blank">cpitman@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
----- Original Message -----<br>
> On 21/06/16 00:13, Chris Pitman wrote:<br>
> > Hey everyone,<br>
> ><br>
> > I'm running into an issue with an application that I've ported over to<br>
> > using Keycloak. I believe that the token issued by keycloak is expiring,<br>
> > which causes XMLHttpRequest's from my front end to be redirected to<br>
> > KeyCloak which then tries to redirect to Google (my identity provider). By<br>
> > the time it gets to google, there have been redirects across two different<br>
> > domains causing the browser to not set an origin header in the request to<br>
> > google, which then causes the browser to not process the response.<br>
> Since keycloak automatically redirects to Google, it seems that you have<br>
> "Authenticate by default" switch enabled for your google identity<br>
> provider, right? Just replied to some other thread where user mentions<br>
> some issue. We may have a bug in keycloak regarding this :<br>
> <a href="http://lists.jboss.org/pipermail/keycloak-user/2016-June/006652.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/2016-June/006652.html</a><br>
><br>
<br>
</span>Thanks Marek, this is exactly the behavior I am seeing. I do have "Authenticate by Default" enabled. I setup CORS (allow-origin, allow-credentials) so that the browser would forward keycloak's cookies after the redirect, thinking that would cause keycloak to immediately issue a new token. Instead, it still redirects to google.<br></blockquote><div><br></div><div>Quite likely it's the session that is no longer valid, not just the token. If the access token is not valid (this is 5min by default) it will be refreshed by the proxy (valid as long as the user session is valid).</div><div><br></div><div>Once the user session is no longer valid the user is required to re-authenticate to Keycloak which causes the redirect to Google. This happens by default after the session has been idle 30 min (no token refreshes) or after 10 hours. You can change the timeouts through the admin console.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
<br>
> ><br>
> > What is the general way of handling a javascript ajax request when a token<br>
> > expires? Or to have a UI get a new token without requiring the entire ui<br>
> > to refresh to force the browser to redirect?<br>
> ><br>
> > For further background, here is my setup: I am using Google OpenID Connect<br>
> > as the identity provider. The application is protected with<br>
> > keycloak-proxy, which then passes requests on to the application.<br>
> > keycloak-proxy is the piece detecting the token is no longer valid and<br>
> > redirecting the ui to keycloak.<br>
> Hmm... for javascript apps, it's usually best to use keycloak.js<br>
> adapter. Not sure why you need keycloak-proxy?<br>
<br>
</span>The application has a javascript front-end and a rails back end, and the back end is where we do authentication traditionally. I may need to look into this more to understand why we would do the flow from the client. My understanding is that refresh tokens should also not be issued to client side applications, since they can just reauth anyways. Either way, the defect above would still cause an issue with the multi-step CORS.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
><br>
> In keycloak.js you can automatically refresh tokens . Right before you<br>
> send request to REST endpoint, you can call "keycloak.updateToken" which<br>
> automatically refreshes token if it's expired or is going to expire in 5<br>
> seconds or so (exact time is configurable based on argument to<br>
> "updateToken" method. See docs or our examples - for example this<br>
> <a href="https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app-js/src/main/webapp/customers/view.html#L93" rel="noreferrer" target="_blank">https://github.com/keycloak/keycloak/blob/master/examples/demo-template/customer-app-js/src/main/webapp/customers/view.html#L93</a><br>
> ) .<br>
><br>
> Also in keycloak.js you can define callback "onTokenExpired" which is<br>
> called when accessToken expires. Here you can implement sending refresh<br>
> request as well.<br>
><br>
> In shortcut, you don't need to go through login flows and browser<br>
> redirections to keycloak etc, but instead rely on refreshing tokens.<br>
><br>
> Marek<br>
> ><br>
> > Chris Pitman<br>
> > Architect, Red Hat Consulting<br>
> ><br>
> > _______________________________________________<br>
> > keycloak-user mailing list<br>
> > <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div> </div></div>