11:24 a.m.
Hi
I have a use case where I need to prompt a user to enter credentials during
a sequence of events. In this case, we're using keycloak's login screen to
capture the information and triggering it via the javascript adapter.
Doing a prompt=login has an unfortunate side effect that the existing
session gets rewritten. This causes the adapter to begin failing, the
refresh token and access token are no longer valid. It seems that there's
no way to reinitialize the iframe after this occurs, and I'm not sure
that's the best way to do it.
Is there any way to have keycloak not create a new session in this flow?
John
4:34 a.m.
Which version are you using? I think that in Keycloak 3.2 it won't
create new session, but connect to existing one. Feel free to create
JIRA if it doesn't work in this version.
Marek
On 23/08/17 18:24, John D. Ament wrote:
Hi
I have a use case where I need to prompt a user to enter credentials during
a sequence of events. In this case, we're using keycloak's login screen to
capture the information and triggering it via the javascript adapter.
Doing a prompt=login has an unfortunate side effect that the existing
session gets rewritten. This causes the adapter to begin failing, the
refresh token and access token are no longer valid. It seems that there's
no way to reinitialize the iframe after this occurs, and I'm not sure
that's the best way to do it.
Is there any way to have keycloak not create a new session in this flow?
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:05 a.m.
Hi Marek,
I'm on 3.2.0.
It could be that the actual session id is the same, but other aspects of
the session are being invalidated in this flow which ma explain what I'm
seeing. I am seeing a new keycloak session/identity cookie coming back,
which seems to throw off the javascript adapter.
John
On Thu, Aug 24, 2017 at 5:34 AM Marek Posolda <mposolda(a)redhat.com> wrote:
Which version are you using? I think that in Keycloak 3.2 it
won't
create new session, but connect to existing one. Feel free to create
JIRA if it doesn't work in this version.
Marek
On 23/08/17 18:24, John D. Ament wrote:
> Hi
>
> I have a use case where I need to prompt a user to enter credentials
during
> a sequence of events. In this case, we're using keycloak's login screen
to
> capture the information and triggering it via the javascript adapter.
> Doing a prompt=login has an unfortunate side effect that the existing
> session gets rewritten. This causes the adapter to begin failing, the
> refresh token and access token are no longer valid. It seems that
there's
> no way to reinitialize the iframe after this occurs, and I'm not sure
> that's the best way to do it.
>
> Is there any way to have keycloak not create a new session in this flow?
>
> John
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
5:14 a.m.
Ok, that could be it. Could you please create JIRA for it? Or also send
PR with test if possible? Some existing tests for prompt param are in
OIDCAdvancedRequestParamsTest . It may be good to add new test here IMO.
Marek
On 24/08/17 12:05, John D. Ament wrote:
Hi Marek,
I'm on 3.2.0.
It could be that the actual session id is the same, but other aspects
of the session are being invalidated in this flow which ma explain
what I'm seeing. I am seeing a new keycloak session/identity cookie
coming back, which seems to throw off the javascript adapter.
John
On Thu, Aug 24, 2017 at 5:34 AM Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Which version are you using? I think that in Keycloak 3.2 it won't
create new session, but connect to existing one. Feel free to create
JIRA if it doesn't work in this version.
Marek
On 23/08/17 18:24, John D. Ament wrote:
> Hi
>
> I have a use case where I need to prompt a user to enter
credentials during
> a sequence of events. In this case, we're using keycloak's
login screen to
> capture the information and triggering it via the javascript
adapter.
> Doing a prompt=login has an unfortunate side effect that the
existing
> session gets rewritten. This causes the adapter to begin
failing, the
> refresh token and access token are no longer valid. It seems
that there's
> no way to reinitialize the iframe after this occurs, and I'm not
sure
> that's the best way to do it.
>
> Is there any way to have keycloak not create a new session in
this flow?
>
> John
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
5:53 a.m.
Done, with possibly some additional info. I'm going to debug into it a bit
more today to see what's happening.
https://issues.jboss.org/browse/KEYCLOAK-5326
John
On Thu, Aug 24, 2017 at 6:14 AM Marek Posolda <mposolda(a)redhat.com> wrote:
Ok, that could be it. Could you please create JIRA for it? Or also
send PR
with test if possible? Some existing tests for prompt param are in
OIDCAdvancedRequestParamsTest . It may be good to add new test here IMO.
Marek
On 24/08/17 12:05, John D. Ament wrote:
Hi Marek,
I'm on 3.2.0.
It could be that the actual session id is the same, but other aspects of
the session are being invalidated in this flow which ma explain what I'm
seeing. I am seeing a new keycloak session/identity cookie coming back,
which seems to throw off the javascript adapter.
John
On Thu, Aug 24, 2017 at 5:34 AM Marek Posolda <mposolda(a)redhat.com> wrote:
> Which version are you using? I think that in Keycloak 3.2 it won't
> create new session, but connect to existing one. Feel free to create
> JIRA if it doesn't work in this version.
>
> Marek
>
> On 23/08/17 18:24, John D. Ament wrote:
> > Hi
> >
> > I have a use case where I need to prompt a user to enter credentials
> during
> > a sequence of events. In this case, we're using keycloak's login
> screen to
> > capture the information and triggering it via the javascript adapter.
> > Doing a prompt=login has an unfortunate side effect that the existing
> > session gets rewritten. This causes the adapter to begin failing, the
> > refresh token and access token are no longer valid. It seems that
> there's
> > no way to reinitialize the iframe after this occurs, and I'm not sure
> > that's the best way to do it.
> >
> > Is there any way to have keycloak not create a new session in this flow?
> >
> > John
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
2464
days inactive
2465
days old
4 comments
2 participants
participants (2)
-
John D. Ament -
Marek Posolda