4:47 a.m.
Have you looked at sending the X-Requested-With header with a value of XHTMLRequest and
setting the autodetect-bearer-only value.
See https://www.keycloak.org/docs/4.2/securing_apps/index.html
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Sebastien Blanc
Sent: 03 May 2019 08:51
To: Radovan Kuka <kuka.radovan(a)gmail.com>
Cc: keycloak userlist <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] 401 http status instead of 203 in case of unauthorized access
to specific route
Hi,
If you are using your node app just to expose APIs that your SPA will consume, you should
flag your node-ap as "bearer-only" (in the keycloak
config) , this will return a 401 if you user is not authenticated (and not attempt the
redirect 302).
This also means that your SPA must obtain the token by using the Keycloak Javascript
library.
Sebi
On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan(a)gmail.com> wrote:
Hello all,
I am new to keycloak and I tryed to use keycloak-connect to protect
routes on my server. From my SPA, I make a fetch call to the server
route that uses protect middleware. In case of unauthenticated user,
keycloak-connect returns redirect to login page (302 with location
header). Problem is that, original request was fetch and 302 causes
that, browser will call GET request for keycloak login page. This will
not cause full browser redirect to that login page. Wouldn't it be
better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing
something wrong?
This is related part in my code.
const keycloakConfig = {
authServerUrl: application.SERVER_URL,
clientId: application.CLIENT_ID,
realm: application.REALM,
public: true
};
const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
app.use(
keycloak.middleware({
logout: '/logout'
})
);
// Use routes
app.use('/api/v1/', keycloak.protect(), api);
Thank you for any help.
Radovan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com