Ok, keycloak.js was not removing the fragment when parsing query params.
Some other information why this was happening *ONLY* for facebook:
Seems that an intermediary (Facebook in this instance) can add a
fragment that then gets propagated when you redirect back, even if the
original URL does not have a fragment!!!!....ugh...This is bollux!
On 3/26/2015 12:24 PM, Leonardo Loch Zanivan wrote:
I had this problem with my angular app :)
Keycloak return "redirect_fragment" param with "#_=_"
On Thu, Mar 26, 2015 at 1:07 PM Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
Honestly, your descriptions don't make sense at all...
1. admin console redirects to keycloak with a redirect uri of
/auth/admin/master/console.
2. Keycloak stores this redirect uri as-is, keycloak also stores "state"
param.
3. keycloak redirects to facebook
4. facebook redirects to keycloak callback url
5. keycloak builds a redirect URI back to admin console based on
original stored redirect uri and "state" param and "code".
6. keylcoak redirects back to admin console
How could Facebook insert #_=_? Is there some browser/fragment magic
happening?
On 3/26/2015 11:44 AM, Stian Thorgersen wrote:
> No, we can sort it out in Keycloak as Facebook redirects to
Keycloak, not the application.
>
> ----- Original Message -----
>> From: "Leonardo Loch Zanivan" <leonardo.zanivan(a)gmail.com
<mailto:leonardo.zanivan@gmail.com>>
>> To: "Stian Thorgersen" <stian(a)redhat.com
<mailto:stian@redhat.com>>
>> Cc: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>,
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>> Sent: Thursday, 26 March, 2015 4:41:50 PM
>> Subject: Re: [keycloak-dev] can't figure this out
>>
>> I think it would need some tweak in the JavaScript adapter.
>>
>> On Thu, Mar 26, 2015 at 12:25 PM Stian Thorgersen
<stian(a)redhat.com <mailto:stian@redhat.com>> wrote:
>>
>>> Great, so we just need to tweak the Facebook provider to strip
that off
>>> before redirecting to the app
>>>
>>> ----- Original Message -----
>>>> From: "Leonardo Loch Zanivan"
<leonardo.zanivan(a)gmail.com
<mailto:leonardo.zanivan@gmail.com>>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com
<mailto:stian@redhat.com>>, "Bill Burke" <
>>> bburke(a)redhat.com <mailto:bburke@redhat.com>>
>>>> Cc: keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>> Sent: Thursday, 26 March, 2015 4:21:49 PM
>>>> Subject: Re: [keycloak-dev] can't figure this out
>>>>
>>>> Ops, you need to remove after keycloak success. Here is an
example:
>>>>
>>>> keycloakAuth.init({
>>>> onLoad: 'login-required'
>>>> }).success(function(__authenticated) {
>>>> //fix facebook oauth
>>>> if (window.location.hash === '#_=_') {
>>>> window.location.hash = '';
>>>> }
>>>> });
>>>>
>>>>
>>>> On Thu, Mar 26, 2015 at 12:19 PM Leonardo Loch Zanivan <
>>>> leonardo.zanivan(a)gmail.com
<mailto:leonardo.zanivan@gmail.com>> wrote:
>>>>
>>>>> Facebook adds "#_=_" at the end of redirect URL for
"security
>>> reasons", so
>>>>> SPA apps won't work unless you remove it.
>>>>>
>>>>> In Angular apps you should remove before call keycloak:
>>>>>
>>>>> if (window.location.hash === '#_=_') {
>>>>> window.location.hash = '';
>>>>> }
>>>>>
>>>>> On Thu, Mar 26, 2015 at 12:14 PM Stian Thorgersen
<stian(a)redhat.com <mailto:stian@redhat.com>>
>>>>> wrote:
>>>>>
>>>>>> AFAIK Facebook is OAuth2 + custom weird stuff that looks
like but
>>> isn't
>>>>>> OpenID Connect
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Stian Thorgersen"
<stian(a)redhat.com
<mailto:stian@redhat.com>>
>>>>>>> To: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>
>>>>>>> Cc: keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>>>>> Sent: Thursday, 26 March, 2015 4:11:11 PM
>>>>>>> Subject: Re: [keycloak-dev] can't figure this out
>>>>>>>
>>>>>>> I remember seeing the '#_=_' crap a while ago,
I believe
that was
>>> before
>>>>>>> Pedro started brokering.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com
<mailto:bburke@redhat.com>>
>>>>>>>> To: keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>>>>>> Sent: Thursday, 26 March, 2015 2:54:27 PM
>>>>>>>> Subject: [keycloak-dev] can't figure this out
>>>>>>>>
>>>>>>>> I'm going crazy... I'm testing facebook
login with the admin
>>> console
>>>>>> as
>>>>>>>> the test app.
>>>>>>>>
>>>>>>>> 1. Facebook auth succeeds
>>>>>>>> 2. Redirect back to admin console
>>>>>>>> 3. For some reason admin console doesn't like
the redirect
URL and
>>>>>> does
>>>>>>>> a redirect back to keycloak login with a fragment
of #_=_
>>>>>>>> 4. I'm already logged in, so redirect back
>>>>>>>> 5. Success, but the fragment is #_=_
>>>>>>>>
>>>>>>>> Login works for github though...I'm freakin
stumped. The
initial
>>>>>>>> redirect back to the admin console is the same
exact
redirect uri
>>> for
>>>>>>>> both github and facebook.
>>>>>>>>
>>>>>>>> Has anybody seen this before?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hat
>>>>>>>>
http://bill.burkecentral.com
>>>>>>>> _________________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>>>>>>
https://lists.jboss.org/__mailman/listinfo/keycloak-dev
<
https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>>>>>>>
>>>>>>> _________________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>>>>>
https://lists.jboss.org/__mailman/listinfo/keycloak-dev
<
https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>>>>>>
>>>>>> _________________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
>>>>>>
https://lists.jboss.org/__mailman/listinfo/keycloak-dev
<
https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>>>>>
>>>>>
>>>>
>>>
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com