Hello all, I am new to keycloak and I tryed to use keycloak-connect to protect routes on my server. From my SPA, I make a fetch call to the server route that uses protect middleware. In case of unauthenticated user, keycloak-connect returns redirect to login page (302 with location header). Problem is that, original request was fetch and 302 causes that, browser will call GET request for keycloak login page. This will not cause full browser redirect to that login page. Wouldn't it be better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing something wrong? This is related part in my code. const keycloakConfig = { authServerUrl: application.SERVER_URL, clientId: application.CLIENT_ID, realm: application.REALM, public: true }; const keycloak = new Keycloak({ cookies: true }, keycloakConfig); app.use( keycloak.middleware({ logout: '/logout' }) ); // Use routes app.use('/api/v1/', keycloak.protect(), api); Thank you for any help. Radovan _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Sebi, thank you for your prompt answer. I would like to avoid to use keycloak.js, if it is possible. I am working on app that is using sensitive bank data and I don't consider it secure to store access and also refresh tokens in javascript's memmory. Is there any chance I can use authorization code grant flow with keycloak-connect? R. On 3 May 2019, at 09:51, Sebastien Blanc <sblanc(a)redhat.com&gt; wrote: Hi, If you are using your node app just to expose APIs that your SPA will consume, you should flag your node-ap as "bearer-only" (in the keycloak config) , this will return a 401 if you user is not authenticated (and not attempt the redirect 302). This also means that your SPA must obtain the token by using the Keycloak Javascript library. Sebi On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan(a)gmail.com&gt; wrote: > Hello all, > I am new to keycloak and I tryed to use keycloak-connect to protect > routes on my server. From my SPA, I make a fetch call to the server route > that uses protect middleware. In case of unauthenticated user, > keycloak-connect returns redirect to login page (302 with location header). > Problem is that, original request was fetch and 302 causes that, browser > will call GET request for keycloak login page. This will not cause full > browser redirect to that login page. Wouldn't it be better to send 401 > Unauthorized and let browser to handle redirect itself? Or am I doing > something wrong? > > This is related part in my code. > > const keycloakConfig = { > authServerUrl: application.SERVER_URL, > clientId: application.CLIENT_ID, > realm: application.REALM, > public: true > }; > > const keycloak = new Keycloak({ cookies: true }, keycloakConfig); > > app.use( > keycloak.middleware({ > logout: '/logout' > }) > ); > > // Use routes > app.use('/api/v1/', keycloak.protect(), api); > > > Thank you for any help. > Radovan > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

SPA communicates with BE only through XHR requests. So if I understand it correctly, I should change code to tokens with keycloak server by myself and I can use keycloak-connect only for validating that token? Am I right? On 3 May 2019, at 11:10, Sebastien Blanc <sblanc(a)redhat.com&gt; wrote: Is your SPA served by the Nodeapp ? in this case the oauth flow/redirect can just happen. I think it's was this example shows : https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example But if your SPA needs to call through XHR your backend APIs you will need an access token on the client side ... On Fri, May 3, 2019 at 10:14 AM Radovan Kuka <kuka.radovan(a)gmail.com&gt; wrote: > Hi Sebi, > thank you for your prompt answer. I would like to avoid to use > keycloak.js, if it is possible. I am working on app that is using sensitive > bank data and I don't consider it secure to store access and also refresh > tokens in javascript's memmory. Is there any chance I can use authorization > code grant flow with keycloak-connect? > > R. > > On 3 May 2019, at 09:51, Sebastien Blanc <sblanc(a)redhat.com&gt; wrote: > > Hi, > > If you are using your node app just to expose APIs that your SPA will > consume, you should flag your node-ap as "bearer-only" (in the keycloak > config) , this will return a 401 if you user is not authenticated (and not > attempt the redirect 302). > This also means that your SPA must obtain the token by using the Keycloak > Javascript library. > > Sebi > > > On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan(a)gmail.com&gt; > wrote: > >> Hello all, >> I am new to keycloak and I tryed to use keycloak-connect to protect >> routes on my server. From my SPA, I make a fetch call to the server route >> that uses protect middleware. In case of unauthenticated user, >> keycloak-connect returns redirect to login page (302 with location header). >> Problem is that, original request was fetch and 302 causes that, browser >> will call GET request for keycloak login page. This will not cause full >> browser redirect to that login page. Wouldn't it be better to send 401 >> Unauthorized and let browser to handle redirect itself? Or am I doing >> something wrong? >> >> This is related part in my code. >> >> const keycloakConfig = { >> authServerUrl: application.SERVER_URL, >> clientId: application.CLIENT_ID, >> realm: application.REALM, >> public: true >> }; >> >> const keycloak = new Keycloak({ cookies: true }, keycloakConfig); >> >> app.use( >> keycloak.middleware({ >> logout: '/logout' >> }) >> ); >> >> // Use routes >> app.use('/api/v1/', keycloak.protect(), api); >> >> >> Thank you for any help. >> Radovan >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >

I looked to the code and when bearerOnly is set to true, it will send in case of unauthorized user 403 status code not 401. R. On 3 May 2019, at 09:51, Sebastien Blanc <sblanc(a)redhat.com&gt; wrote: Hi, If you are using your node app just to expose APIs that your SPA will consume, you should flag your node-ap as "bearer-only" (in the keycloak config) , this will return a 401 if you user is not authenticated (and not attempt the redirect 302). This also means that your SPA must obtain the token by using the Keycloak Javascript library. Sebi On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan(a)gmail.com&gt; wrote: > Hello all, > I am new to keycloak and I tryed to use keycloak-connect to protect > routes on my server. From my SPA, I make a fetch call to the server route > that uses protect middleware. In case of unauthenticated user, > keycloak-connect returns redirect to login page (302 with location header). > Problem is that, original request was fetch and 302 causes that, browser > will call GET request for keycloak login page. This will not cause full > browser redirect to that login page. Wouldn't it be better to send 401 > Unauthorized and let browser to handle redirect itself? Or am I doing > something wrong? > > This is related part in my code. > > const keycloakConfig = { > authServerUrl: application.SERVER_URL, > clientId: application.CLIENT_ID, > realm: application.REALM, > public: true > }; > > const keycloak = new Keycloak({ cookies: true }, keycloakConfig); > > app.use( > keycloak.middleware({ > logout: '/logout' > }) > ); > > // Use routes > app.use('/api/v1/', keycloak.protect(), api); > > > Thank you for any help. > Radovan > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >