<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 28/06/16 15:35, LEONARDO NUNES
      wrote:<br>
    </div>
    <blockquote cite="mid:D3980182.2A93A%25leo.nunes@ojc.com.br"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <div>
        <div>Marek, after I encoded the redirect_uri parameter it
          worked.</div>
        <div><br>
        </div>
        <div>When I try to access a restricted page and I'm not logged
          in I saw that an AuthChallenge with a redirect uri is
          returned.</div>
        <div>Is there a way to configure prompt=none to be added to this
          redirect uri?</div>
      </div>
    </blockquote>
    I don't think it's possible ATM. <br>
    <br>
    What we can possibly do is add "prompt" parameter to the list of
    parameters, which adapters are able to attach to the
    authorizationEndpoint sent to Keycloak (this is done in
    OAuthRequestAuthenticator.getRedirectUri ). Then request to Keycloak
    with "prompt=none" will be sent and if you are not logged, Keycloak
    will redirect back with status 400 and some "error" parameter. You
    will be able to configure the error page in your web.xml where you
    will be able to deal with the error and do what you want (for
    example, redirect to your anonymous page).<br>
    <br>
    Could you please create JIRA for adding "prompt" to the parameters?<br>
    <br>
    Marek<br>
    <blockquote cite="mid:D3980182.2A93A%25leo.nunes@ojc.com.br"
      type="cite">
      <div>
        <div><br>
        </div>
        <div>I'm my case I wouldn't like to be automatically redirected
          to the login page when i'm not logged in.</div>
        <div>Instead I would like to be redirected back to my page when
          the user is not logged in.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>
          <div>
            <div>-- </div>
            <div>Leonardo Nunes</div>
          </div>
        </div>
      </div>
      <div><br>
      </div>
      <div><br>
      </div>
      <span id="OLK_SRC_BODY_SECTION">
        <div style="font-family:Calibri; font-size:11pt;
          text-align:left; color:black; BORDER-BOTTOM: medium none;
          BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
          0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
          BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
          <span style="font-weight:bold">From: </span>Marek Posolda
          &lt;<a moz-do-not-send="true"
            href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;<br>
          <span style="font-weight:bold">Date: </span>terça-feira, 28
          de junho de 2016 03:00<br>
          <span style="font-weight:bold">To: </span>Leonardo Nunes &lt;<a
            moz-do-not-send="true"
            href="mailto:leo.nunes@gjccorp.com.br"><a class="moz-txt-link-abbreviated" href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a></a>&gt;,
          Tomás García &lt;<a moz-do-not-send="true"
            href="mailto:tomas@intrahouse.com">tomas@intrahouse.com</a>&gt;,
          "<a moz-do-not-send="true"
            href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
          &lt;<a moz-do-not-send="true"
            href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
          <span style="font-weight:bold">Subject: </span>Re:
          [keycloak-user] Question about the javascript-adapter and the
          check-sso option with a confidential client<br>
        </div>
        <div><br>
        </div>
        <div>
          <div bgcolor="#FFFFFF" text="#000000">
            <div class="moz-cite-prefix">Not sure why prompt=none
              doesn't work as expected...
              <br>
              <br>
              Are you manually opening this URL? Maybe it will help if
              you url-encode the value of redirect_uri parameter (in
              your example it's not encoded).<br>
              <br>
              Marek<br>
              <br>
              On 27/06/16 15:38, LEONARDO NUNES wrote:<br>
            </div>
            <blockquote cite="mid:D396AF65.2A7A4%25leo.nunes@ojc.com.br"
              type="cite">
              <div>
                <div>Marek, I tried to manually call keycloak login url
                  with prompt=none but it didn't redirect back to my
                  redirect_uri, instead it stayed at the login page.</div>
                <div>Below is an example of the login url i'm calling.</div>
                <div><br>
                </div>
                <div><a moz-do-not-send="true"
                    class="moz-txt-link-freetext"
href="http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&amp;response_mode=fragment&amp;response_type=code&amp;client_id=app-web&amp;">http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&amp;response_mode=fragment&amp;response_type=code&amp;client_id=app-web&amp;</a><b>prompt=none</b></div>
                <div><br>
                </div>
                <div>I need an URL to call to know if the user is logged
                  in or not without being redirected to the login page.</div>
                <div>I need this because KeycloakSecurityContext is not
                  available at not restricted URLs.</div>
                <div><br>
                </div>
                <div><br>
                </div>
                <div>
                  <div>
                    <div>-- </div>
                    <div>Leonardo Nunes</div>
                  </div>
                </div>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
              <span id="OLK_SRC_BODY_SECTION">
                <div style="font-family:Calibri; font-size:11pt;
                  text-align:left; color:black; BORDER-BOTTOM: medium
                  none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
                  PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
                  #b5c4df 1pt solid; BORDER-RIGHT: medium none;
                  PADDING-TOP: 3pt">
                  <span style="font-weight:bold">From: </span>Marek
                  Posolda &lt;<a moz-do-not-send="true"
                    href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;<br>
                  <span style="font-weight:bold">Date: </span>segunda-feira,
                  27 de junho de 2016 09:07<br>
                  <span style="font-weight:bold">To: </span>Tomás
                  García &lt;<a moz-do-not-send="true"
                    class="moz-txt-link-abbreviated"
                    href="mailto:tomas@intrahouse.com">tomas@intrahouse.com</a>&gt;,
                  "<a moz-do-not-send="true"
                    href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>"
                  &lt;<a moz-do-not-send="true"
                    href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
                  <span style="font-weight:bold">Subject: </span>Re:
                  [keycloak-user] Question about the javascript-adapter
                  and the check-sso option with a confidential client<br>
                </div>
                <div><br>
                </div>
                <div>
                  <div bgcolor="#FFFFFF" text="#000000">
                    <div class="moz-cite-prefix">I think your
                      possibilities are either:<br>
                      - Use different client for keycloak.js (public
                      client) and different client for your confidential
                      servlet application<br>
                      - Don't use keycloak.js at all, but instead do
                      some HTTP Filter to deal with "autologin" . You
                      will manually try to redirect to keycloak with
                      "prompt=none" . If user is not logged, keycloak
                      will redirect back to the callback redirect_uri,
                      where you recognize if there is "code" or "error"
                      parameter and based on that, you know if user is
                      logged or not. If user is logged, you can redirect
                      to secured URL to properly trigger authentication
                      process (maybe you can optimize this step by reuse
                      the "code", which you already have and directly
                      open the secured URI with it, but I am not 100%
                      sure if it works with considering that you also
                      need correct "state" etc.) Otherwise, you can set
                      some state or something, to recognize that
                      autologin has been already unsuccessfully tried.<br>
                      <br>
                      Maybe you can create JIRA to request support
                      "autologin" for other types of clients then public
                      keycloak.js clients.<br>
                      <br>
                      Marek<br>
                      <br>
                      On 25/06/16 11:44, Tomás García wrote:<br>
                    </div>
                    <blockquote
                      cite="mid:77146ca6-9427-6b00-ba02-bf37daca0685@intrahouse.com"
                      type="cite">
                      <p>Hi,</p>
                      <p> I wonder if it's possible to just check the
                        SSO state with a confidential client. My use
                        case is the following one:</p>
                      <p>- I have a website which uses a confidential
                        client to login with Keycloak.</p>
                      <p>- I want to add autologin to this website.</p>
                      <p>- So I use the javascript adapter with the
                        following option object for the init method: {
                        onLoad: 'check-sso' }. The javascript adapter is
                        built without the secret key in its constructor
                        (obviously if I put the secret key in there,
                        there's no point to use a confidential client at
                        all).<br>
                      </p>
                      <p>But Keycloak fails with a
                        "type=CODE_TO_TOKEN_ERROR,
                        error=invalid_client_credentials" error.<br>
                      </p>
                      <p>So I don't know how feasible or secure is to
                        just check that the Keycloak session inside the
                        cookie of the user's browser is still valid. In
                        my case, the browser doesn't need to get the
                        user info, access token, etc, because what I'll
                        do is redirect the user to the Keycloak login
                        page with the confidential client afterwards is
                        the operation is successful. Since the Keycloak
                        session is valid, Keycloak should redirect back
                        with the authentication code without asking
                        credentials to the user.<br>
                      </p>
                      <p>Additional note: the CORS header isn't added to
                        400 responses in Keycloak, so it was a bit
                        confusing looking at the JS console in the
                        browser, because it complained about CORS but it
                        was just Keycloak giving the 400 response
                        without the allow-origin header.<br>
                      </p>
                      Thanks.<br>
                      <br>
                      <div class="moz-signature">-- <br>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <p style="margin:0cm 0cm
                                        0.0001pt;color:rgb(0,0,0);font-family:'Times
                                        New Roman',serif;font-size:12pt">
                                        <b><span style="font-size: 11pt;
                                            font-family: Arial,
                                            sans-serif; color: rgb(94,
                                            94, 94); " lang="EN-US">Tomás
                                            García Pérez<br>
                                          </span></b></p>
                                      <p style="margin:0cm 0cm 0.0001pt"><font
                                          color="#5e5e5e"
                                          face="Arial,sans-serif"><span
                                            style="font-size:12px"><b>Software
                                              Developer</b></span></font></p>
                                      <p style="margin:0cm 0cm
                                        0.0001pt;font-family:'Times New
                                        Roman',serif;font-size:12pt">
                                        <b style="color:rgb(0,0,0)"><span
                                            style="font-size: 13.5pt;
                                            font-family: Arial,
                                            sans-serif; color: rgb(42,
                                            128, 172); " lang="EN-US">Intra</span></b><b
                                          style="color:rgb(0,0,0)"><span
                                            style="font-size: 13.5pt;
                                            font-family: Arial,
                                            sans-serif; color: rgb(121,
                                            121, 121); " lang="EN-US">House</span></b><b
                                          style="color:rgb(0,0,0)"><span
                                            style="font-size: 13.5pt;
                                            font-family: Arial,
                                            sans-serif; " lang="EN-US"></span></b></p>
                                      <br>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                      <br>
                      <fieldset class="mimeAttachmentHeader"></fieldset>
                      <br>
                      <pre wrap="">_______________________________________________
keycloak-user mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                    </blockquote>
                    <br>
                    <hr style="height:1px;color:#C4C4C4;">
                    <div
                      style="font-family:Arial;color:#848484;font-size:11px;"><i>Esta
                        mensagem pode conter informação confidencial
                        e/ou privilegiada. Se você não for o
                        destinatário ou a pessoa autorizada a receber
                        esta mensagem, não poderá usar, copiar ou
                        divulgar as informações nela contidas ou tomar
                        qualquer ação baseada nessas informações. Se
                        você recebeu esta mensagem por engano, por favor
                        avise imediatamente o remetente, respondendo o
                        e-mail e em seguida apague-o. Agradecemos sua
                        cooperação.
                        <br>
                        <br>
                        This message may contain confidential and/or
                        privileged information. If you are not the
                        addressee or authorized to receive this for the
                        addressee, you must not use, copy, disclose or
                        take any action based on this message or any
                        information herein. If you have received this
                        message in error, please advise the sender
                        immediately by reply e-mail and delete this
                        message. Thank you for your cooperation</i></div>
                  </div>
                </div>
              </span></blockquote>
            <br>
          </div>
        </div>
      </span>
    </blockquote>
    <br>
  </body>
</html>