[overlord-issues] [JBoss JIRA] (ARTIF-748) Web UI: Refresh to /login when Keycloak token expires

Brett Meyer (JIRA) issues at jboss.org
Mon Jul 13 14:57:03 EDT 2015 

    [ https://issues.jboss.org/browse/ARTIF-748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13089021#comment-13089021 ] 

Brett Meyer commented on ARTIF-748:
-----------------------------------

Thanks [~eric.wittmann].

[~csa], any thoughts on that?  See my comment on KEYCLOAK-1539.  Essentially, a call to JSON REST using Errai's Caller may be unauthorized.  But instead of returning a 401 (or anything helpful), KeyCloak returns a login page's HTML.  GWT's JSON marshallers, of course, fall over themselves.  However, I was a little surprised that the error didn't hit the Caller's ErrorHandler *at all*.  Should it?  I'll need to play with it again to come up with a stacktrace.  But regardless, if a GWT marshaller throws an exception on a REST call, could that bubble up to the ErrorHandler somehow?  Or, is there a way to deal with this with some sort of Interceptor, like Eric suggested?

> Web UI: Refresh to /login when Keycloak token expires
> -----------------------------------------------------
>
>                 Key: ARTIF-748
>                 URL: https://issues.jboss.org/browse/ARTIF-748
>             Project: Artificer
>          Issue Type: Task
>            Reporter: Brett Meyer
>            Assignee: Brett Meyer
>
> If the token expires, the server spits out:
> {code}
> 14:25:07,534 WARN  [org.keycloak.events] (default task-36) type=REFRESH_TOKEN_ERROR, realmId=0c4049da-2746-468e-ab6d-49e51dd1f133, clientId=artificer-ui, userId=null, ipAddress=127.0.0.1, error=invalid_token
> 14:25:07,560 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-37) Refresh token failure status: 400 {"error_description":"Refresh token expired","error":"invalid_grant"}
> {code}
> The next time the browser makes a call to the UI services, Errai reports an uncaught GWT exception.  That call *must* be protected by Keycloak, in order for our Filter to pick up the KeycloakSecurityContext and create the bearer token.  However, the GWT exception shows that the Keycloak *login page* is being served on the call, so Errai's JSON marshaller barfs on the HTML.
> APIMan (Angular UI) checks for a 401 response code and automatically refreshes the browser to combat this.  However, I'm not sure if that's possible in this case.  Our use of Errai's "Caller" pattern isn't kicking in for these errors (completely sidesteps the ErrorHandler), I'm guessing due to it being a lower level issue with the GWT marshaller.
> Idea: Have a pure Javascript loop "ping" the UI services and check the response.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the overlord-issues mailing list