<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 28/06/16 00:20, Tomás García wrote:<br>
    </div>
    <blockquote
      cite="mid:30d2a697-e2a4-cc71-dfac-d8309599f16d@intrahouse.com"
      type="cite">
      <meta content="text/html; charset=windows-1252"
        http-equiv="Content-Type">
      <div class="moz-cite-prefix">On 06/27/2016 01:07 PM, Marek Posolda
        wrote:<br>
      </div>
      <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
        <meta content="text/html; charset=windows-1252"
          http-equiv="Content-Type">
        <div class="moz-cite-prefix">I think your possibilities are
          either:<br>
          - Use different client for keycloak.js (public client) and
          different client for your confidential servlet application<br>
        </div>
      </blockquote>
      <br>
      I thought about it, but at the moment I thought about what is the
      point of having the confidential client if the public one is
      needed, I discarded that option. Since the autologin affects the
      same website, there's no point to have two clients attacking the
      same resource. The public client is the weakest link of the chain,
      so having a secret key doesn't add anything to security; only for
      accountability, maybe.<br>
      <br>
      <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
        <div class="moz-cite-prefix"> - Don't use keycloak.js at all,
          but instead do some HTTP Filter to deal with "autologin" . You
          will manually try to redirect to keycloak with "prompt=none" .
          If user is not logged, keycloak will redirect back to the
          callback redirect_uri, where you recognize if there is "code"
          or "error" parameter and based on that, you know if user is
          logged or not. If user is logged, you can redirect to secured
          URL to properly trigger authentication process (maybe you can
          optimize this step by reuse the "code", which you already have
          and directly open the secured URI with it, but I am not 100%
          sure if it works with considering that you also need correct
          "state" etc.) Otherwise, you can set some state or something,
          to recognize that autologin has been already unsuccessfully
          tried.<br>
        </div>
      </blockquote>
      <br>
      Oh well, it's a website made in PHP, not a servlet, but the same
      idea can be applied. But I had to discard that option too due to
      technical reasons: I'm not exactly in control of the whole
      website, since I'm adding the autologin to a project I didn't work
      on in the past, which isn't as well engineered for extensibility
      as Keycloak :).<br>
    </blockquote>
    If you don't have control under the web-app, then I am not seeing
    much other possibilities then using some other "helper" client.
    Doesn't matter if it's public or not. The only purpose of helper
    client will be to check "prompt=none" and then either redirect to
    secured URI of real client (if logged) or public URI of real client
    (if not logged). <br>
    <br>
    Sorry, no better ideas atm :/<br>
    <br>
    Marek<br>
    <blockquote
      cite="mid:30d2a697-e2a4-cc71-dfac-d8309599f16d@intrahouse.com"
      type="cite">
      <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
        <div class="moz-cite-prefix"> <br>
          Maybe you can create JIRA to request support "autologin" for
          other types of clients then public keycloak.js clients.<br>
        </div>
      </blockquote>
      <br>
      Thanks, Marek. I'll think about it. It's very likely that I'll
      open a JIRA issue to discuss this further.<br>
      <br>
      <blockquote cite="mid:57711701.6020207@redhat.com" type="cite">
        <div class="moz-cite-prefix"> <br>
          Marek<br>
          <br>
          On 25/06/16 11:44, Tomás García wrote:<br>
        </div>
        <blockquote
          cite="mid:77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com"
          type="cite">
          <meta http-equiv="content-type" content="text/html;
            charset=windows-1252">
          <p>Hi,</p>
          <p> I wonder if it's possible to just check the SSO state with
            a confidential client. My use case is the following one:</p>
          <p>- I have a website which uses a confidential client to
            login with Keycloak.</p>
          <p>- I want to add autologin to this website.</p>
          <p>- So I use the javascript adapter with the following option
            object for the init method: { onLoad: 'check-sso' }. The
            javascript adapter is built without the secret key in its
            constructor (obviously if I put the secret key in there,
            there's no point to use a confidential client at all).<br>
          </p>
          <p>But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR,
            error=invalid_client_credentials" error.<br>
          </p>
          <p>So I don't know how feasible or secure is to just check
            that the Keycloak session inside the cookie of the user's
            browser is still valid. In my case, the browser doesn't need
            to get the user info, access token, etc, because what I'll
            do is redirect the user to the Keycloak login page with the
            confidential client afterwards is the operation is
            successful. Since the Keycloak session is valid, Keycloak
            should redirect back with the authentication code without
            asking credentials to the user.<br>
          </p>
          <p>Additional note: the CORS header isn't added to 400
            responses in Keycloak, so it was a bit confusing looking at
            the JS console in the browser, because it complained about
            CORS but it was just Keycloak giving the 400 response
            without the allow-origin header.<br>
          </p>
          Thanks.<br>
          <br>
          <div class="moz-signature">-- <br>
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <p style="margin:0cm 0cm
                            0.0001pt;color:rgb(0,0,0);font-family:'Times
                            New Roman',serif;font-size:12pt"><b><span
                                style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(94,94,94)"
                                lang="EN-US">Tomás García Pérez<br>
                              </span></b></p>
                          <p style="margin:0cm 0cm 0.0001pt"><font
                              color="#5e5e5e" face="Arial, sans-serif"><span
                                style="font-size:12px"><b>Software
                                  Developer</b></span></font></p>
                          <p style="margin:0cm 0cm
                            0.0001pt;font-family:'Times New
                            Roman',serif;font-size:12pt"><b
                              style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(42,128,172)"
                                lang="EN-US">Intra</span></b><b
                              style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(121,121,121)"
                                lang="EN-US">House</span></b><b
                              style="color:rgb(0,0,0)"><span
                                style="font-size:13.5pt;font-family:Arial,sans-serif"
                                lang="EN-US"></span></b></p>
                          <br>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
          <br>
          <fieldset class="mimeAttachmentHeader"></fieldset>
          <br>
          <pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
        </blockquote>
        <br>
      </blockquote>
      <br>
      <p><br>
      </p>
      <div class="moz-signature">-- <br>
        <div dir="ltr">
          <div>
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <p style="margin:0cm 0cm
                        0.0001pt;color:rgb(0,0,0);font-family:'Times New
                        Roman',serif;font-size:12pt"><b><span
                            style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(94,94,94)"
                            lang="EN-US">Tomás García Pérez<br>
                          </span></b></p>
                      <p style="margin:0cm 0cm 0.0001pt"><font
                          color="#5e5e5e" face="Arial, sans-serif"><span
                            style="font-size:12px"><b>Software Developer</b></span></font></p>
                      <p style="margin:0cm 0cm
                        0.0001pt;font-family:'Times New
                        Roman',serif;font-size:12pt"><b
                          style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(42,128,172)"
                            lang="EN-US">Intra</span></b><b
                          style="color:rgb(0,0,0)"><span
style="font-size:13.5pt;font-family:Arial,sans-serif;color:rgb(121,121,121)"
                            lang="EN-US">House</span></b><b
                          style="color:rgb(0,0,0)"><span
                            style="font-size:13.5pt;font-family:Arial,sans-serif"
                            lang="EN-US"></span></b></p>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>