I think that you don't need to use "onLoad" option at all because you
passed tokens. So you can just use something like:
var kcInitObj={
token:'<%=token%>',
refreshToken:'<%=refreshToken%>',
idToken:'<%=idToken%>' };
Besides that, I can see that you added tag "<script>" after the
kcInitObj is initialized. Unless I am missing something (previous
snippet of your page etc), you will need to first add tag "<script>" and
then initialize kcInitObj inside that as it's javascript object.
If you have some javascript debugger (for example Firebug on FF) you can
add breakpoint before keycloak.init call and check that "kcInitOptions"
look as expected and really contain the 3 tokens you passed above.
Marek
On 07/04/16 08:19, Subhrajyoti Moitra wrote:
Hello Stian and Marek,
Thanks for the clarification.
I am not sure what u mean by "invoke that yourself and initialize
keycloak.js with the tokens afterwards". U mean in the new
KeyCloak(...) constructor I pass the tokens and other values?
" authenticate with both LDAP and Keycloak in the first place...."
- The desktop windows application is a old legacy application(custom
dialer) used to connect to Aspect Telephony server. This Aspect server
requires the AD login so that agents using this dialer is connected to
Aspect. So I dont know how I can avoid this.
- There is no way to pass the username/pass from the embedded KC page
to the "parent" windows application. Not sure if some workaround is
possible in the local application or not.
Please help.
Thanks,
Subhro.
On Thu, Apr 7, 2016 at 11:18 AM, Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
keycloak.js doesn't support direct grant and we won't add it.
You'd have to invoke that yourself and initialize keycloak.js with
the tokens afterwards.
Why do you need to authenticate with both LDAP and Keycloak in the
first place? In either case I'd say a better way would be to use
what Marek suggests as option 2. User can enter username/password
in embedded Keycloak login page instead of popup box. Using the
embedded login page has a number of benefits over direct grant.
For example required actions, recover password support, etc, etc..
On 7 April 2016 at 07:07, Subhrajyoti Moitra
<subhrajyotim(a)gmail.com <mailto:subhrajyotim@gmail.com>> wrote:
Hello Marek,
What is the value of onLoad during keycloak init() function?
I tried both check-sso and login-required, but it still is
showing the kc login page.
Heres what I did.
Using java code I get a direct access grant tokens. I get
response from this code as something below.
{"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}
Then I am hitting the jsp page.
http://localhost:8080/myapp/index.jsp?tokenJson=<theabovejsonstring-cu...
In index.jsp I extract the tokenJson param and parse the json
to further extract the accessToken, idToken and refreshToken.
A code snippet in index.jsp, like the below generates the
keycloak init obj.
<%
String iaJsonStr =request.getParameter("tokenJson");//get the
token json from url String
token="",idToken="",refreshToken="";//init the
values
if(!StringUtils.isEmpty(iaJsonStr)){ JsonObject iaJsonObj =
Json.createReader(new StringReader(iaJsonStr)).readObject();
token=iaJsonObj.getString("access_token");//extract access
refreshToken=iaJsonObj.getString("refresh_token");//extract
refresh idToken=iaJsonObj.getString("id_token");//extract id
}if(!StringUtils.isEmpty(token) &&
!StringUtils.isEmpty(refreshToken) &&
!StringUtils.isEmpty(idToken)){ %>var kcInitObj={
onLoad:'check-sso',
token:'<%=token%>',
refreshToken:'<%=refreshToken%>',
idToken:'<%=idToken%>' };
<% }else{ %>var kcInitObj={
onLoad:'check-sso' };
<% } %>
.......
.....
<script>
var keycloak = Keycloak('/myapp/keycloak-dev.json');
keycloak.init(kcInitObj).success(function(authenticated) {
if(!authenticated){
keycloak.login(); }else{
//call loadProfile and get the user details.
).error(....)
</script>
This is still redirecting me to the login page. Do I have to
do something in the client setup?
So close,, yet so far... Please help..
Thanks and lot for your attention.
Subhro.
On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra
<subhrajyotim(a)gmail.com <mailto:subhrajyotim@gmail.com>> wrote:
Thanks a million Marek for setting us in the right direction.
"...application is able to access the javascript state
from embedded IE"- this is not possible currently, hence
1st solution wont work.
We will follow the 2nd way to do this.
So using "direct access grant
<
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
i get the required JSON token data as mentioned.
Then I pass this data to the jsp page (embedded in IE),
using URL params.
The JSP page pulls out the required data from the URL
params, and then inits keycloak.js.
in keycloak init function i pass the token, idToken and
refreshToken values.
Hopefully this works, trying it now!
Thanks a lot again for the pointers.
Subhro.
On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda
<mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
Do you have the "control" under the application? Is it
possible to propagate security contexts from
application to embedded IE or viceversa?
In theory what can work is either:
- You will skip step1 and don't popup
username/password box. Instead you will just
authenticate in step2 inside IE and then propagate the
context ( token ) to step1. This is possible just if
application is able to access the javascript state
from embedded IE.
- If you can propagate just from desktop to IE, then
in step1 you wwill configure your application to send
the request for username/password authentication to
Keycloak via direct access grant (instead of sending
username+password directly to AD/LDAP). Once you
receive token from direct access grant, you can use it
inside IE in step2 ( keycloak.js has possibility to be
initialized with token. You just need to pass the
token and refreshToken as arguments to keycloak.init .
Then keycloak.js won't redirect you to login screen )
Marek
On 06/04/16 11:24, Subhrajyoti Moitra wrote:
> Hello Team,
>
> I have a standalone windows desktop application, that
> authenticates against an AD/LDAP server. The
> application popups a username/password box, and
> submits it to the LDAP for authentication.
> The same AD/LDAP server is also synced with a
> Keycloak installation.
>
> The windows application embeds the IE browser control
> and shows a jsp page.
> This jsp page is protected using keycloak js adapter.
> Obviously the user is re-directed to the keycloak
> login page. So the user has to login twice, once
> using the application popup and other in the embedded
> jsp, after getting redirected to the keycloak login page.
>
> I dont want to re-prompt the user for relogin, since
> he has already authenticated against the AD server.
> Is there a way to not re-prompt the user, when the
> embedded IE requests the secure JSP?
>
> Please help, as we are not able to come up with a
> solution for the same.
> Any pointers how we can avoid the 2nd authentication.
>
> Thanks,
> Subhro.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> <mailto:keycloak-user@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user