On 21/06/16 00:13, Chris Pitman wrote:
Hey everyone,
I'm running into an issue with an application that I've ported over to using
Keycloak. I believe that the token issued by keycloak is expiring, which causes
XMLHttpRequest's from my front end to be redirected to KeyCloak which then tries to
redirect to Google (my identity provider). By the time it gets to google, there have been
redirects across two different domains causing the browser to not set an origin header in
the request to google, which then causes the browser to not process the response.
Since keycloak automatically redirects to Google, it seems that you have
"Authenticate by default" switch enabled for your google identity
provider, right? Just replied to some other thread where user mentions
some issue. We may have a bug in keycloak regarding this :
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006652.html
What is the general way of handling a javascript ajax request when a token expires? Or to
have a UI get a new token without requiring the entire ui to refresh to force the browser
to redirect?
For further background, here is my setup: I am using Google OpenID Connect as the
identity provider. The application is protected with keycloak-proxy, which then passes
requests on to the application. keycloak-proxy is the piece detecting the token is no
longer valid and redirecting the ui to keycloak.
Hmm... for javascript apps,
it's usually best to use keycloak.js
adapter. Not sure why you need keycloak-proxy?
In keycloak.js you can automatically refresh tokens . Right before you
send request to REST endpoint, you can call "keycloak.updateToken" which
automatically refreshes token if it's expired or is going to expire in 5
seconds or so (exact time is configurable based on argument to
"updateToken" method. See docs or our examples - for example this
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...
) .
Also in keycloak.js you can define callback "onTokenExpired" which is
called when accessToken expires. Here you can implement sending refresh
request as well.
In shortcut, you don't need to go through login flows and browser
redirections to keycloak etc, but instead rely on refreshing tokens.
Marek
Chris Pitman
Architect, Red Hat Consulting
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user