12:58 a.m.
Hi Marek,
Your proposed patch works perfectly fine.
IE only overwrites the header for the keycloak REST services, the other REST services work
fine.
Thank you for your help.
Michael
Am 03. August 2015 um 13:36 schrieb Marek Posolda <mposolda(a)redhat.com>:
On 29.7.2015 16:37, Michael Gerber wrote:
The ClearAuthenticationCache command deletes the following data:
- Session cookies
- sessionStorage
- HTTP Authentication (e.g. Digest or Basic HTTP credentials)
- HTTPS Client Certificates (e.g. sites that use certificates or SmartCards)
But keycloak needs the session cookie, otherwise the user has to relogin after each page
reload.
Isn't the clientSecret anyway public if it is send in the Authorization header?
Yes, it is for JS clients. That's why it's better to not use clientSecret with
javascript based clients, but instead mark those clients as "public" in keycloak
admin console. In this case keycloak.js will use client_id parameter instead of
Authorization header. Can this work for you?
Thing is, that currently AuthorizeClientUtil will likely automatically send 401 if it
found "Authorization: Negotiate ..." header even if you have public client and
you want to use client_id (I did not test it, but guessing from looking at the code). So
I've created the simple patch to avoid it:
https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454...
So if you do the steps like:
1) make your client as public
2) Apply my patch
will it help?
I am still seeing potential issues if your javascript client needs to send REST requests
authorized by "Authorization: Bearer" header with accessToken. Not sure if IE
doesn't again overwrite the header with "Authorization: Negotiate". In this
case REST request would fail. But hopefully not... If you have opportunity to try it, it
will be cool.
Thanks,
Marek
Am 29. Juli 2015 um 14:27 schrieb Bill Burke <bburke(a)redhat.com>:
The trick you found earlier doesn't work?
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...
Also, what if in keycloak.js if kc.clientSecret is null? Just remove
the client secret IMO. You shouldn't be exposing the client secret as
it is now public to everybody in the world....
On 7/29/2015 8:05 AM, Michael Gerber wrote:
I could find a solution for my IE problem.
IE overwrites the Authorization header in the XMLHttpRequest
(/protocol/openid-connect/token) with "Authorization: Negotiate".
To solve this problem, I added on the client the client_id
and client_secret to the form and changed the authorizeClient method, so
it checks first the form data instead of the authorization http header.
Have a look at my code:
https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01...
Should I create a pull request for the changes or do you have a better
solution?
cheers
Michael
Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>:
Hi Michael,
No idea if there is other solution, I've never tried SPNEGO with
Internet explorer TBH :(
Could you please create JIRA for this?
Thanks,
Marek
On 22.7.2015 10:07, Michael Gerber wrote:
Hi all
My kerberos configuration works fine with FireFox and Chrome, but it
does not work with IE.
It shows a prompt where the user has to enter a username and password.
I can successfully get an access code, but I can not get an access
token, because IE overwrites the Authorization header in the AJAX
request. (see
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...)
I can fix this by adding
document.execCommand('ClearAuthenticationCache', 'false');
above of
var req = new XMLHttpRequest();
approximately at the line 374 in the keycloack.js file.
Is there another solution for this problem?
cheers
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:16 a.m.
New subject: Kerberos with IE does not work
Thanks for the confirm!
I've added the patch to keycloak master and will be available in 1.5.
I've also resolved jira https://issues.jboss.org/browse/KEYCLOAK-1595 .
Thanks,
Marek
On 4.8.2015 07:58, Michael Gerber wrote:
Hi Marek,
Your proposed patch works perfectly fine.
IE only overwrites the header for the keycloak REST services, the
other REST services work fine.
Thank you for your help.
Michael
Am 03. August 2015 um 13:36 schrieb Marek Posolda <mposolda(a)redhat.com>:
> On 29.7.2015 16:37, Michael Gerber wrote:
>> The ClearAuthenticationCache command deletes the following data:
>> - Session cookies
>> - sessionStorage
>> - HTTP Authentication (e.g. Digest or Basic HTTP credentials)
>> - HTTPS Client Certificates (e.g. sites that use certificates or
>> SmartCards)
>>
>> But keycloak needs the session cookie, otherwise the user has to
>> relogin after each page reload.
>>
>> Isn't the clientSecret anyway public if it is send in the
>> Authorization header?
> Yes, it is for JS clients. That's why it's better to not use
> clientSecret with javascript based clients, but instead mark those
> clients as "public" in keycloak admin console. In this case
> keycloak.js will use client_id parameter instead of Authorization
> header. Can this work for you?
>
> Thing is, that currently AuthorizeClientUtil will likely
> automatically send 401 if it found "Authorization: Negotiate ..."
> header even if you have public client and you want to use client_id
> (I did not test it, but guessing from looking at the code). So I've
> created the simple patch to avoid it:
> https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454...
>
> So if you do the steps like:
> 1) make your client as public
> 2) Apply my patch
>
> will it help?
>
> I am still seeing potential issues if your javascript client needs to
> send REST requests authorized by "Authorization: Bearer" header with
> accessToken. Not sure if IE doesn't again overwrite the header with
> "Authorization: Negotiate". In this case REST request would fail. But
> hopefully not... If you have opportunity to try it, it will be cool.
>
> Thanks,
> Marek
>
>>
>> Am 29. Juli 2015 um 14:27 schrieb Bill Burke <bburke(a)redhat.com>:
>>
>>> The trick you found earlier doesn't work?
>>>
>>>
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...
>>>
>>> Also, what if in keycloak.js if kc.clientSecret is null? Just remove
>>> the client secret IMO. You shouldn't be exposing the client secret as
>>> it is now public to everybody in the world....
>>>
>>> On 7/29/2015 8:05 AM, Michael Gerber wrote:
>>>> I could find a solution for my IE problem.
>>>>
>>>> IE overwrites the Authorization header in the XMLHttpRequest
>>>> (/protocol/openid-connect/token) with "Authorization:
Negotiate".
>>>>
>>>> To solve this problem, I added on the client the client_id
>>>> and client_secret to the form and changed the authorizeClient
>>>> method, so
>>>> it checks first the form data instead of the authorization http
>>>> header.
>>>>
>>>> Have a look at my code:
>>>>
https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01...
>>>>
>>>> Should I create a pull request for the changes or do you have a better
>>>> solution?
>>>>
>>>> cheers
>>>> Michael
>>>>
>>>>
>>>>
>>>> Am 22. Juli 2015 um 11:46 schrieb Marek Posolda
>>>> <mposolda(a)redhat.com <mailto:mposolda@redhat.com>
>>>> <mailto:mposolda@redhat.com>>:
>>>>
>>>>> Hi Michael,
>>>>>
>>>>> No idea if there is other solution, I've never tried SPNEGO with
>>>>> Internet explorer TBH :(
>>>>>
>>>>> Could you please create JIRA for this?
>>>>>
>>>>> Thanks,
>>>>> Marek
>>>>>
>>>>> On 22.7.2015 10:07, Michael Gerber wrote:
>>>>>> Hi all
>>>>>>
>>>>>> My kerberos configuration works fine with FireFox and Chrome, but
it
>>>>>> does not work with IE.
>>>>>> It shows a prompt where the user has to enter a username and
>>>>>> password.
>>>>>>
>>>>>> I can successfully get an access code, but I can not get an
access
>>>>>> token, because IE overwrites the Authorization header in the
AJAX
>>>>>> request. (see
>>>>>>
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...)
>>>>>>
>>>>>> I can fix this by adding
>>>>>> document.execCommand('ClearAuthenticationCache',
'false');
>>>>>> above of
>>>>>> var req = new XMLHttpRequest();
>>>>>> approximately at the line 374 in the keycloack.js file.
>>>>>>
>>>>>> Is there another solution for this problem?
>>>>>>
>>>>>> cheers
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
3432
days inactive
3432
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Michael Gerber