<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 28/06/16 15:35, LEONARDO NUNES
wrote:<br>
</div>
<blockquote cite="mid:D3980182.2A93A%25leo.nunes@ojc.com.br"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>Marek, after I encoded the redirect_uri parameter it
worked.</div>
<div><br>
</div>
<div>When I try to access a restricted page and I'm not logged
in I saw that an AuthChallenge with a redirect uri is
returned.</div>
<div>Is there a way to configure prompt=none to be added to this
redirect uri?</div>
</div>
</blockquote>
I don't think it's possible ATM. <br>
<br>
What we can possibly do is add "prompt" parameter to the list of
parameters, which adapters are able to attach to the
authorizationEndpoint sent to Keycloak (this is done in
OAuthRequestAuthenticator.getRedirectUri ). Then request to Keycloak
with "prompt=none" will be sent and if you are not logged, Keycloak
will redirect back with status 400 and some "error" parameter. You
will be able to configure the error page in your web.xml where you
will be able to deal with the error and do what you want (for
example, redirect to your anonymous page).<br>
<br>
Could you please create JIRA for adding "prompt" to the parameters?<br>
<br>
Marek<br>
<blockquote cite="mid:D3980182.2A93A%25leo.nunes@ojc.com.br"
type="cite">
<div>
<div><br>
</div>
<div>I'm my case I wouldn't like to be automatically redirected
to the login page when i'm not logged in.</div>
<div>Instead I would like to be redirected back to my page when
the user is not logged in.</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<div>-- </div>
<div>Leonardo Nunes</div>
</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Marek Posolda
<<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>terça-feira, 28
de junho de 2016 03:00<br>
<span style="font-weight:bold">To: </span>Leonardo Nunes <<a
moz-do-not-send="true"
href="mailto:leo.nunes@gjccorp.com.br"><a class="moz-txt-link-abbreviated" href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a></a>>,
Tomás García <<a moz-do-not-send="true"
href="mailto:tomas@intrahouse.com">tomas@intrahouse.com</a>>,
"<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] Question about the javascript-adapter and the
check-sso option with a confidential client<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Not sure why prompt=none
doesn't work as expected...
<br>
<br>
Are you manually opening this URL? Maybe it will help if
you url-encode the value of redirect_uri parameter (in
your example it's not encoded).<br>
<br>
Marek<br>
<br>
On 27/06/16 15:38, LEONARDO NUNES wrote:<br>
</div>
<blockquote cite="mid:D396AF65.2A7A4%25leo.nunes@ojc.com.br"
type="cite">
<div>
<div>Marek, I tried to manually call keycloak login url
with prompt=none but it didn't redirect back to my
redirect_uri, instead it stayed at the login page.</div>
<div>Below is an example of the login url i'm calling.</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&">http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&</a><b>prompt=none</b></div>
<div><br>
</div>
<div>I need an URL to call to know if the user is logged
in or not without being redirected to the login page.</div>
<div>I need this because KeycloakSecurityContext is not
available at not restricted URLs.</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div>
<div>-- </div>
<div>Leonardo Nunes</div>
</div>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium
none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
#b5c4df 1pt solid; BORDER-RIGHT: medium none;
PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Marek
Posolda <<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>segunda-feira,
27 de junho de 2016 09:07<br>
<span style="font-weight:bold">To: </span>Tomás
García <<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:tomas@intrahouse.com">tomas@intrahouse.com</a>>,
"<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
<<a moz-do-not-send="true"
href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[keycloak-user] Question about the javascript-adapter
and the check-sso option with a confidential client<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I think your
possibilities are either:<br>
- Use different client for keycloak.js (public
client) and different client for your confidential
servlet application<br>
- Don't use keycloak.js at all, but instead do
some HTTP Filter to deal with "autologin" . You
will manually try to redirect to keycloak with
"prompt=none" . If user is not logged, keycloak
will redirect back to the callback redirect_uri,
where you recognize if there is "code" or "error"
parameter and based on that, you know if user is
logged or not. If user is logged, you can redirect
to secured URL to properly trigger authentication
process (maybe you can optimize this step by reuse
the "code", which you already have and directly
open the secured URI with it, but I am not 100%
sure if it works with considering that you also
need correct "state" etc.) Otherwise, you can set
some state or something, to recognize that
autologin has been already unsuccessfully tried.<br>
<br>
Maybe you can create JIRA to request support
"autologin" for other types of clients then public
keycloak.js clients.<br>
<br>
Marek<br>
<br>
On 25/06/16 11:44, Tomás García wrote:<br>
</div>
<blockquote
cite="mid:77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com"
type="cite">
<p>Hi,</p>
<p> I wonder if it's possible to just check the
SSO state with a confidential client. My use
case is the following one:</p>
<p>- I have a website which uses a confidential
client to login with Keycloak.</p>
<p>- I want to add autologin to this website.</p>
<p>- So I use the javascript adapter with the
following option object for the init method: {
onLoad: 'check-sso' }. The javascript adapter is
built without the secret key in its constructor
(obviously if I put the secret key in there,
there's no point to use a confidential client at
all).<br>
</p>
<p>But Keycloak fails with a
"type=CODE_TO_TOKEN_ERROR,
error=invalid_client_credentials" error.<br>
</p>
<p>So I don't know how feasible or secure is to
just check that the Keycloak session inside the
cookie of the user's browser is still valid. In
my case, the browser doesn't need to get the
user info, access token, etc, because what I'll
do is redirect the user to the Keycloak login
page with the confidential client afterwards is
the operation is successful. Since the Keycloak
session is valid, Keycloak should redirect back
with the authentication code without asking
credentials to the user.<br>
</p>
<p>Additional note: the CORS header isn't added to
400 responses in Keycloak, so it was a bit
confusing looking at the JS console in the
browser, because it complained about CORS but it
was just Keycloak giving the 400 response
without the allow-origin header.<br>
</p>
Thanks.<br>
<br>
<div class="moz-signature">-- <br>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<p style="margin:0cm 0cm
0.0001pt;color:rgb(0,0,0);font-family:'Times
New Roman',serif;font-size:12pt">
<b><span style="font-size: 11pt;
font-family: Arial,
sans-serif; color: rgb(94,
94, 94); " lang="EN-US">Tomás
García Pérez<br>
</span></b></p>
<p style="margin:0cm 0cm 0.0001pt"><font
color="#5e5e5e"
face="Arial,sans-serif"><span
style="font-size:12px"><b>Software
Developer</b></span></font></p>
<p style="margin:0cm 0cm
0.0001pt;font-family:'Times New
Roman',serif;font-size:12pt">
<b style="color:rgb(0,0,0)"><span
style="font-size: 13.5pt;
font-family: Arial,
sans-serif; color: rgb(42,
128, 172); " lang="EN-US">Intra</span></b><b
style="color:rgb(0,0,0)"><span
style="font-size: 13.5pt;
font-family: Arial,
sans-serif; color: rgb(121,
121, 121); " lang="EN-US">House</span></b><b
style="color:rgb(0,0,0)"><span
style="font-size: 13.5pt;
font-family: Arial,
sans-serif; " lang="EN-US"></span></b></p>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<hr style="height:1px;color:#C4C4C4;">
<div
style="font-family:Arial;color:#848484;font-size:11px;"><i>Esta
mensagem pode conter informação confidencial
e/ou privilegiada. Se você não for o
destinatário ou a pessoa autorizada a receber
esta mensagem, não poderá usar, copiar ou
divulgar as informações nela contidas ou tomar
qualquer ação baseada nessas informações. Se
você recebeu esta mensagem por engano, por favor
avise imediatamente o remetente, respondendo o
e-mail e em seguida apague-o. Agradecemos sua
cooperação.
<br>
<br>
This message may contain confidential and/or
privileged information. If you are not the
addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or
take any action based on this message or any
information herein. If you have received this
message in error, please advise the sender
immediately by reply e-mail and delete this
message. Thank you for your cooperation</i></div>
</div>
</div>
</span></blockquote>
<br>
</div>
</div>
</span>
</blockquote>
<br>
</body>
</html>