KEYCLOAK-2962 and autodetect-bearer-only
by Amat, Juan (Nokia - US)
Hello,
I was reading this ticket as I am having a similar use case: my application, using
the wildfly adapter (2.5.1), is doing a mix of http requests: regular ones and
ajax ones.
I declare my client as 'public' and everything is fine. Except when the session times
out and the next request is an ajax one. In this case, Keycloak will try to redirect
which does not work.
>From my understanding this is what this ticket was about.
The proposed fix in OAuthRequestAuthenticator.java will 'fix' this problem.
And it was similar to what is done in the spring security adapter (KEYCLOAK-1391).
Instead the ticket was resolved by introducing the autodetect-bearer-only property.
Unfortunately this does not help me as this will treat all ajax requests as 'bearer only'.
But I do not set any Authorization header with a valid token (again this is some existing
application and the only modification is configuration the keycloak sub system in my
standalone.xml file.
I am wondering then if we still do the same 'trick' as the one in the spring security adapter.
At least for consistency reason.
I understand that this is not a bug in Keycloak but an enhancement.
I do have the problem when I am not using Keycloak but if Keycloak could solve it, then
this will be a nice selling point!
What do you think?
Thank you,
Juan