<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 06/27/2016 01:07 PM, Marek Posolda
      wrote:<br>
    </div>
    <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
      <meta content="text/html; charset=windows-1252"
        http-equiv="Content-Type">
      <div class="moz-cite-prefix">I think your possibilities are
        either:<br>
        - Use different client for keycloak.js (public client) and
        different client for your confidential servlet application<br>
      </div>
    </blockquote>
    <br>
    I thought about it, but at the moment I thought about what is the
    point of having the confidential client if the public one is needed,
    I discarded that option. Since the autologin affects the same
    website, there's no point to have two clients attacking the same
    resource. The public client is the weakest link of the chain, so
    having a secret key doesn't add anything to security; only for
    accountability, maybe.<br>
    <br>
    <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
      <div class="moz-cite-prefix"> - Don't use keycloak.js at all, but
        instead do some HTTP Filter to deal with "autologin" . You will
        manually try to redirect to keycloak with "prompt=none" . If
        user is not logged, keycloak will redirect back to the callback
        redirect_uri, where you recognize if there is "code" or "error"
        parameter and based on that, you know if user is logged or not.
        If user is logged, you can redirect to secured URL to properly
        trigger authentication process (maybe you can optimize this step
        by reuse the "code", which you already have and directly open
        the secured URI with it, but I am not 100% sure if it works with
        considering that you also need correct "state" etc.) Otherwise,
        you can set some state or something, to recognize that autologin
        has been already unsuccessfully tried.<br>
      </div>
    </blockquote>
    <br>
    Oh well, it's a website made in PHP, not a servlet, but the same
    idea can be applied. But I had to discard that option too due to
    technical reasons: I'm not exactly in control of the whole website,
    since I'm adding the autologin to a project I didn't work on in the
    past, which isn't as well engineered for extensibility as Keycloak
    :).<br>
    <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
      <div class="moz-cite-prefix"> <br>
        Maybe you can create JIRA to request support "autologin" for
        other types of clients then public keycloak.js clients.<br>
      </div>
    </blockquote>
    <br>
    Thanks, Marek. I'll think about it. It's very likely that I'll open
    a JIRA issue to discuss this further.<br>
    <br>
    <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
      <div class="moz-cite-prefix"> <br>
        Marek<br>
        <br>
        On 25/06/16 11:44, Tomás García wrote:<br>
      </div>
      <blockquote
        cite="mid:77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com"
        type="cite">
        <meta http-equiv="content-type" content="text/html;
          charset=windows-1252">
        <p>Hi,</p>
        <p> I wonder if it's possible to just check the SSO state with a
          confidential client. My use case is the following one:</p>
        <p>- I have a website which uses a confidential client to login
          with Keycloak.</p>
        <p>- I want to add autologin to this website.</p>
        <p>- So I use the javascript adapter with the following option
          object for the init method: { onLoad: 'check-sso' }. The
          javascript adapter is built without the secret key in its
          constructor (obviously if I put the secret key in there,
          there's no point to use a confidential client at all).<br>
        </p>
        <p>But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR,
          error=invalid_client_credentials" error.<br>
        </p>
        <p>So I don't know how feasible or secure is to just check that
          the Keycloak session inside the cookie of the user's browser
          is still valid. In my case, the browser doesn't need to get
          the user info, access token, etc, because what I'll do is
          redirect the user to the Keycloak login page with the
          confidential client afterwards is the operation is successful.
          Since the Keycloak session is valid, Keycloak should redirect
          back with the authentication code without asking credentials
          to the user.<br>
        </p>
        <p>Additional note: the CORS header isn't added to 400 responses
          in Keycloak, so it was a bit confusing looking at the JS
          console in the browser, because it complained about CORS but
          it was just Keycloak giving the 400 response without the
          allow-origin header.<br>
        </p>
        Thanks.<br>
        <br>
        <div class="moz-signature">-- <br>
          <div dir="ltr">
            <div>
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <div>
                      <div dir="ltr">
                        <p style="margin:0cm 0cm
                          0.0001pt;color:rgb(0,0,0);font-family:'Times
                          New Roman',serif;font-size:12pt"><b><span
                              style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(94,94,94)"
                              lang="EN-US">Tomás García Pérez<br>
                            </span></b></p>
                        <p style="margin:0cm 0cm 0.0001pt"><font
                            face="Arial, sans-serif" color="#5e5e5e"><span
                              style="font-size:12px"><b>Software
                                Developer</b></span></font></p>
                        <p style="margin:0cm 0cm
                          0.0001pt;font-family:'Times New
                          Roman',serif;font-size:12pt"><b
                            style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(42,128,172)"
                              lang="EN-US">Intra</span></b><b
                            style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(121,121,121)"
                              lang="EN-US">House</span></b><b
                            style="color:rgb(0,0,0)"><span
                              style="font-size:13.5pt;font-family:Arial,sans-serif"
                              lang="EN-US"></span></b></p>
                        <br>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
      </blockquote>
      <br>
    </blockquote>
    <br>
    <p><br>
    </p>
    <div class="moz-signature">-- <br>
      <div dir="ltr">
        <div>
          <div dir="ltr">
            <div>
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <p style="margin:0cm 0cm
                      0.0001pt;color:rgb(0,0,0);font-family:'Times New
                      Roman',serif;font-size:12pt"><b><span
                          style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(94,94,94)"
                          lang="EN-US">Tomás García Pérez<br>
                        </span></b></p>
                    <p style="margin:0cm 0cm 0.0001pt"><font
                        face="Arial, sans-serif" color="#5e5e5e"><span
                          style="font-size:12px"><b>Software Developer</b></span></font></p>
                    <p style="margin:0cm 0cm 0.0001pt;font-family:'Times
                      New Roman',serif;font-size:12pt"><b
                        style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(42,128,172)"
                          lang="EN-US">Intra</span></b><b
                        style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(121,121,121)"
                          lang="EN-US">House</span></b><b
                        style="color:rgb(0,0,0)"><span
                          style="font-size:13.5pt;font-family:Arial,sans-serif"
                          lang="EN-US"></span></b></p>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </div>
  </body>
</html>