1:14 p.m.
Hi, glad to hear it worked!
Another idea might be to install servlet filter into Keycloak that would parse URL param
and (re)attach it to HttpSession. This would in theory eliminate the need for such an
heuristics, but this needs to be investigated further.
Dmitry
On Sat, 2018-11-17 at 12:08 +0100, zitrone(a)gmx-topmail.de wrote:
Thank you very much.
For anyone interested, here is my full script. I check for the Referer header first, if
it is empty i go for the direct parameters. Also restricted it to a certain role.
/ import enum for error lookup
AuthenticationFlowError =
Java.type("org.keycloak.authentication.AuthenticationFlowError");
function authenticate(context) {
if (user.hasRole(realm.getRole("AllowedRole"))){
var username = user ? user.username : "anonymous";
var referer = httpRequest.httpHeaders.getHeaderString("Referer");
var _foo;
if (referer !== null){
var uri = new java.net.URI(referer);
var uriInfo = new org.jboss.resteasy.spi.ResteasyUriInfo(uri);
_foo = uriInfo.queryParameters.coBrowsingSSOId;
} else {
_foo = httpRequest.uri.queryParameters.coBrowsingSSOId;
}
if (_foo !== null ){
var foo = _foo[0]; // uriInfo.queryParameters is a multivalued map
LOG.error(script.name + ": " + username + " foo =" +
foo);
authenticationSession.setUserSessionNote("foo", foo);
context.success();
} else {
LOG.error("Missing query parameter 'foo'");
context.failure(AuthenticationFlowError.INVALID_USER);
}
} else {
context.success();
}
}
Regards
Am 13.11.2018 um 23:40 schrieb Dmitry Telegin:
> Hi, you're welcome,
>
> In the second scenario (cookie-based auth), there is no HTTP redirect, hence your
query params are in the actual URL, not in the referer header. You can extract them as
follows:
>
> var _foo = httpRequest.uri.queryParameters['foo']);
> if (_foo !== null)
> var foo = _foo[0];
>
> Good luck!
> Dmitry
>
> > > On Tue, 2018-11-13 at 20:11 +0100, zitrone(a)gmx-topmail.de wrote:
> > Hi,
> >
> > i'm working on a similar problem. I managed to set up a script
> > authenticator and a User Session Note Mapper. Works fine on first
> > request (like, on the first try. Thanks for the code!). I send the query
> > parameter to the auth endpoint, enter the credentials and get a code.
> > The token i get for the code contains the query parameter as a field.
> >
> > But when i query the auth endpoint a second time, it authenticates via
> > cookie. Then it starts the script and the script throws a null pointer
> > exception. The problen is, that the "Referer" header is null.
> >
> > The idea behind the second call is to "update" the session note.
Any
> > ideas how to get the query parameter in this case? Or why it vanishes in
> > the first place?
> >
> >
> > Regards
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user