keycloak.js doesn't support direct grant and we won't add it. You'd have to
invoke that yourself and initialize keycloak.js with the tokens afterwards.
Why do you need to authenticate with both LDAP and Keycloak in the first
place? In either case I'd say a better way would be to use what Marek
suggests as option 2. User can enter username/password in embedded Keycloak
login page instead of popup box. Using the embedded login page has a number
of benefits over direct grant. For example required actions, recover
password support, etc, etc..
On 7 April 2016 at 07:07, Subhrajyoti Moitra <subhrajyotim(a)gmail.com> wrote:
Hello Marek,
What is the value of onLoad during keycloak init() function?
I tried both check-sso and login-required, but it still is showing the kc
login page.
Heres what I did.
Using java code I get a direct access grant tokens. I get response from
this code as something below.
{"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}
Then I am hitting the jsp page.
http://localhost:8080/myapp/index.jsp?tokenJson=
<theabovejsonstring-cut-and-pasted>
In index.jsp I extract the tokenJson param and parse the json to further
extract the accessToken, idToken and refreshToken.
A code snippet in index.jsp, like the below generates the keycloak init
obj.
<%
String iaJsonStr =request.getParameter("tokenJson");//get the token json from
url
String token="",idToken="",refreshToken="";//init the
values
if(!StringUtils.isEmpty(iaJsonStr)){
JsonObject iaJsonObj = Json.createReader(new StringReader(iaJsonStr)).readObject();
token=iaJsonObj.getString("access_token");//extract access
refreshToken=iaJsonObj.getString("refresh_token");//extract refresh
idToken=iaJsonObj.getString("id_token");//extract id
}
if(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(refreshToken) &&
!StringUtils.isEmpty(idToken)){
%>
var kcInitObj={
onLoad:'check-sso',
token:'<%=token%>',
refreshToken:'<%=refreshToken%>',
idToken:'<%=idToken%>'
};
<%
}else{
%>
var kcInitObj={
onLoad:'check-sso'
};
<%
}
%>
.......
.....
<script>
var keycloak = Keycloak('/myapp/keycloak-dev.json');
keycloak.init(kcInitObj).success(function(authenticated) {
if(!authenticated){
keycloak.login();
}else{
//call loadProfile and get the user details.
).error(....)
</script>
This is still redirecting me to the login page. Do I have to do something
in the client setup?
So close,, yet so far... Please help..
Thanks and lot for your attention.
Subhro.
On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra <subhrajyotim(a)gmail.com
> wrote:
> Thanks a million Marek for setting us in the right direction.
>
> "...application is able to access the javascript state from embedded IE"-
> this is not possible currently, hence 1st solution wont work.
>
> We will follow the 2nd way to do this.
>
> So using "direct access grant
>
<
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
> i get the required JSON token data as mentioned.
> Then I pass this data to the jsp page (embedded in IE), using URL params.
> The JSP page pulls out the required data from the URL params, and then
> inits keycloak.js.
> in keycloak init function i pass the token, idToken and refreshToken
> values.
>
> Hopefully this works, trying it now!
>
> Thanks a lot again for the pointers.
>
> Subhro.
>
> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
>
>> Do you have the "control" under the application? Is it possible to
>> propagate security contexts from application to embedded IE or viceversa?
>>
>> In theory what can work is either:
>> - You will skip step1 and don't popup username/password box. Instead you
>> will just authenticate in step2 inside IE and then propagate the context (
>> token ) to step1. This is possible just if application is able to access
>> the javascript state from embedded IE.
>>
>> - If you can propagate just from desktop to IE, then in step1 you wwill
>> configure your application to send the request for username/password
>> authentication to Keycloak via direct access grant (instead of sending
>> username+password directly to AD/LDAP). Once you receive token from direct
>> access grant, you can use it inside IE in step2 ( keycloak.js has
>> possibility to be initialized with token. You just need to pass the token
>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't
>> redirect you to login screen )
>>
>> Marek
>>
>>
>> On 06/04/16 11:24, Subhrajyoti Moitra wrote:
>>
>> Hello Team,
>>
>> I have a standalone windows desktop application, that authenticates
>> against an AD/LDAP server. The application popups a username/password box,
>> and submits it to the LDAP for authentication.
>> The same AD/LDAP server is also synced with a Keycloak installation.
>>
>> The windows application embeds the IE browser control and shows a jsp
>> page.
>> This jsp page is protected using keycloak js adapter. Obviously the user
>> is re-directed to the keycloak login page. So the user has to login twice,
>> once using the application popup and other in the embedded jsp, after
>> getting redirected to the keycloak login page.
>>
>> I dont want to re-prompt the user for relogin, since he has already
>> authenticated against the AD server.
>> Is there a way to not re-prompt the user, when the embedded IE requests
>> the secure JSP?
>>
>> Please help, as we are not able to come up with a solution for the same.
>> Any pointers how we can avoid the 2nd authentication.
>>
>> Thanks,
>> Subhro.
>>
>>
>> _______________________________________________
>> keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user