1:12 a.m.
Hi folks
Trying to solve a question for one of my web developers.
We have 2 apps one which authenticates against Keycloak using SAML and then
a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
call to the SAML based client app.
This causes a 401 currently, but as soon as I visit the SAML app and
Keycloak logs in then the rest calls work. What aren’t we passing or config
am I missing?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
1:33 a.m.
Scrap that! Filter misconfiguration.
On 11 January 2019 at 00:12:30, Tom Barber (tom(a)spicule.co.uk) wrote:
Hi folks
Trying to solve a question for one of my web developers.
We have 2 apps one which authenticates against Keycloak using SAML and then
a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
call to the SAML based client app.
This causes a 401 currently, but as soon as I visit the SAML app and
Keycloak logs in then the rest calls work. What aren’t we passing or config
am I missing?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and its
contents are intended solely for the individual to whom it is addressed and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
4:15 p.m.
Hello Tom,
What do you mean with filter misconfiguration? The web.xml fragment is the
declaration of my filter CustomKeycloakSamlFilter. I forgot to mention that
it extends org.keycloak.adapters.saml.servlet.SamlFilter
Cheers,
Luis
El vie., 11 ene. 2019 a las 14:47, Tom Barber (<tom(a)spicule.co.uk>)
escribió:
Scrap that! Filter misconfiguration.
On 11 January 2019 at 00:12:30, Tom Barber (tom(a)spicule.co.uk) wrote:
Hi folks
Trying to solve a question for one of my web developers.
We have 2 apps one which authenticates against Keycloak using SAML and then
a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
call to the SAML based client app.
This causes a 401 currently, but as soon as I visit the SAML app and
Keycloak logs in then the rest calls work. What aren’t we passing or config
am I missing?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and
its
contents are intended solely for the individual to whom it is addressed
and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
11:06 a.m.
Hello Tom,
Once you visit the SAML app the an user session is created in the app and a
JSESSIONID cookie is store in your browser, that's why it works.
You have different ways of workaround this:
1. You can embed the gui component that makes the request to the SAML app
into an <iframe>. Iframe element can deal the SAML requests and responses.
2. In the past I did develop a "horrible hack" based on a
javax.servlet.Filter and a html page. The idea would be that at the first
request of the OIDC app the filter would generate on the fly a html page
with a link to the SAML app. This triggered the SAML authentication,
creating the user session in the app and storing the JSESSIONID cookie in
the user browser.
3. I recently solved the same issue using
org.keycloak.adapters.saml.servlet.SamlFilter. The idea would be to create
a your custom cookie and using it to make the cross-context requests. You
can have a look at the code in this gist [1]
Keep in mind that all of the above are workarounds. The cleanest way would
be not to use SAML for protecting the resources/API of your second
application. Probably OAUTH2/OIDC would work better, but I imagine that you
are dealing with some legacy code and you do not have too many options :)
Hope it helps,
Luis
[1] https://gist.github.com/lurodrig/83319a623692f573c4d2f91e16176fca
El vie., 11 ene. 2019 a las 9:47, Tom Barber (<tom(a)spicule.co.uk>) escribió:
Hi folks
Trying to solve a question for one of my web developers.
We have 2 apps one which authenticates against Keycloak using SAML and then
a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
call to the SAML based client app.
This causes a 401 currently, but as soon as I visit the SAML app and
Keycloak logs in then the rest calls work. What aren’t we passing or config
am I missing?
Thanks
Tom
--
Spicule Limited is registered in England & Wales. Company Number:
09954122. Registered office: First Floor, Telecom House, 125-135 Preston
Road, Brighton, England, BN1 6AF. VAT No. 251478891.
All engagements
are subject to Spicule Terms and Conditions of Business. This email and
its
contents are intended solely for the individual to whom it is addressed
and
may contain information that is confidential, privileged or otherwise
protected from disclosure, distributing or copying. Any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Spicule Limited. The company accepts no
liability for any damage caused by any virus transmitted by this email. If
you have received this message in error, please notify us immediately by
reply email before deleting it from your system. Service of legal notice
cannot be effected on Spicule Limited by email.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
2205
days inactive
2205
days old
3 comments
2 participants
participants (2)
-
Luis Rodríguez Fernández -
Tom Barber