<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Not sure why prompt=none doesn't work
      as expected... <br>
      <br>
      Are you manually opening this URL? Maybe it will help if you
      url-encode the value of redirect_uri parameter (in your example
      it's not encoded).<br>
      <br>
      Marek<br>
      <br>
      On 27/06/16 15:38, LEONARDO NUNES wrote:<br>
    </div>
    <blockquote cite="mid:D396AF65.2A7A4%25leo.nunes@ojc.com.br"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <div>
        <div>Marek, I tried to manually call keycloak login url with
          prompt=none but it didn't redirect back to my redirect_uri,
          instead it stayed at the login page.</div>
        <div>Below is an example of the login url i'm calling.</div>
        <div><br>
        </div>
        <div><a class="moz-txt-link-freetext" href="http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&amp;response_mode=fragment&amp;response_type=code&amp;client_id=app-web&amp;">http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&amp;response_mode=fragment&amp;response_type=code&amp;client_id=app-web&amp;</a><b>prompt=none</b></div>
        <div><br>
        </div>
        <div>I need an URL to call to know if the user is logged in or
          not without being redirected to the login page.</div>
        <div>I need this because KeycloakSecurityContext is not
          available at not restricted URLs.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>
          <div>
            <div>-- </div>
            <div>Leonardo Nunes</div>
          </div>
        </div>
      </div>
      <div><br>
      </div>
      <div><br>
      </div>
      <span id="OLK_SRC_BODY_SECTION">
        <div style="font-family:Calibri; font-size:11pt;
          text-align:left; color:black; BORDER-BOTTOM: medium none;
          BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
          0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
          BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
          <span style="font-weight:bold">From: </span>Marek Posolda
          &lt;<a moz-do-not-send="true"
            href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;<br>
          <span style="font-weight:bold">Date: </span>segunda-feira, 27
          de junho de 2016 09:07<br>
          <span style="font-weight:bold">To: </span>Tomás García &lt;<a
            moz-do-not-send="true" href="mailto:tomas@intrahouse.com"><a class="moz-txt-link-abbreviated" href="mailto:tomas@intrahouse.com">tomas@intrahouse.com</a></a>&gt;,
          "<a moz-do-not-send="true"
            href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
          &lt;<a moz-do-not-send="true"
            href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
          <span style="font-weight:bold">Subject: </span>Re:
          [keycloak-user] Question about the javascript-adapter and the
          check-sso option with a confidential client<br>
        </div>
        <div><br>
        </div>
        <div>
          <div bgcolor="#FFFFFF" text="#000000">
            <div class="moz-cite-prefix">I think your possibilities are
              either:<br>
              - Use different client for keycloak.js (public client) and
              different client for your confidential servlet application<br>
              - Don't use keycloak.js at all, but instead do some HTTP
              Filter to deal with "autologin" . You will manually try to
              redirect to keycloak with "prompt=none" . If user is not
              logged, keycloak will redirect back to the callback
              redirect_uri, where you recognize if there is "code" or
              "error" parameter and based on that, you know if user is
              logged or not. If user is logged, you can redirect to
              secured URL to properly trigger authentication process
              (maybe you can optimize this step by reuse the "code",
              which you already have and directly open the secured URI
              with it, but I am not 100% sure if it works with
              considering that you also need correct "state" etc.)
              Otherwise, you can set some state or something, to
              recognize that autologin has been already unsuccessfully
              tried.<br>
              <br>
              Maybe you can create JIRA to request support "autologin"
              for other types of clients then public keycloak.js
              clients.<br>
              <br>
              Marek<br>
              <br>
              On 25/06/16 11:44, Tomás García wrote:<br>
            </div>
            <blockquote
              cite="mid:77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com"
              type="cite">
              <p>Hi,</p>
              <p> I wonder if it's possible to just check the SSO state
                with a confidential client. My use case is the following
                one:</p>
              <p>- I have a website which uses a confidential client to
                login with Keycloak.</p>
              <p>- I want to add autologin to this website.</p>
              <p>- So I use the javascript adapter with the following
                option object for the init method: { onLoad: 'check-sso'
                }. The javascript adapter is built without the secret
                key in its constructor (obviously if I put the secret
                key in there, there's no point to use a confidential
                client at all).<br>
              </p>
              <p>But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR,
                error=invalid_client_credentials" error.<br>
              </p>
              <p>So I don't know how feasible or secure is to just check
                that the Keycloak session inside the cookie of the
                user's browser is still valid. In my case, the browser
                doesn't need to get the user info, access token, etc,
                because what I'll do is redirect the user to the
                Keycloak login page with the confidential client
                afterwards is the operation is successful. Since the
                Keycloak session is valid, Keycloak should redirect back
                with the authentication code without asking credentials
                to the user.<br>
              </p>
              <p>Additional note: the CORS header isn't added to 400
                responses in Keycloak, so it was a bit confusing looking
                at the JS console in the browser, because it complained
                about CORS but it was just Keycloak giving the 400
                response without the allow-origin header.<br>
              </p>
              Thanks.<br>
              <br>
              <div class="moz-signature">-- <br>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr">
                              <p style="margin:0cm 0cm
                                0.0001pt;color:rgb(0,0,0);font-family:'Times
                                New Roman',serif;font-size:12pt">
                                <b><span style="font-size: 11pt;
                                    font-family: Arial, sans-serif;
                                    color: rgb(94, 94, 94); "
                                    lang="EN-US">Tomás García Pérez<br>
                                  </span></b></p>
                              <p style="margin:0cm 0cm 0.0001pt"><font
                                  color="#5e5e5e"
                                  face="Arial,sans-serif"><span
                                    style="font-size:12px"><b>Software
                                      Developer</b></span></font></p>
                              <p style="margin:0cm 0cm
                                0.0001pt;font-family:'Times New
                                Roman',serif;font-size:12pt">
                                <b style="color:rgb(0,0,0)"><span
                                    style="font-size: 13.5pt;
                                    font-family: Arial, sans-serif;
                                    color: rgb(42, 128, 172); "
                                    lang="EN-US">Intra</span></b><b
                                  style="color:rgb(0,0,0)"><span
                                    style="font-size: 13.5pt;
                                    font-family: Arial, sans-serif;
                                    color: rgb(121, 121, 121); "
                                    lang="EN-US">House</span></b><b
                                  style="color:rgb(0,0,0)"><span
                                    style="font-size: 13.5pt;
                                    font-family: Arial, sans-serif; "
                                    lang="EN-US"></span></b></p>
                              <br>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
              <br>
              <fieldset class="mimeAttachmentHeader"></fieldset>
              <br>
              <pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
            </blockquote>
            <br>
            <hr style="height:1px;color:#C4C4C4;">
            <div style="font-family:Arial;color:#848484;font-size:11px;"><i>Esta
                mensagem pode conter informação confidencial e/ou
                privilegiada. Se você não for o destinatário ou a pessoa
                autorizada a receber esta mensagem, não poderá usar,
                copiar ou divulgar as informações nela contidas ou tomar
                qualquer ação baseada nessas informações. Se você
                recebeu esta mensagem por engano, por favor avise
                imediatamente o remetente, respondendo o e-mail e em
                seguida apague-o. Agradecemos sua cooperação.
                <br>
                <br>
                This message may contain confidential and/or privileged
                information. If you are not the addressee or authorized
                to receive this for the addressee, you must not use,
                copy, disclose or take any action based on this message
                or any information herein. If you have received this
                message in error, please advise the sender immediately
                by reply e-mail and delete this message. Thank you for
                your cooperation</i></div>
          </div>
        </div>
      </span>
    </blockquote>
    <br>
  </body>
</html>