6:11 a.m.
Hey all,
While implementing a Keycloak based secure application set (3 internal web applications)
with Spring-Security, I’ve come upon some details that I can’t seem to find an adequate
answer to.
Our environment and implementations:
The security layer is implemented on the front-end only (for now).
JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10,
Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used).
What we’ve got working:
2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log
in to app1 we’re also logged in in app2, so that’s good.
What we want but can’t seem to achieve:
· Log out of app1 --> refresh of app2 should redirect to the Keycloak login
page.
At this point it seems that the user credentials remain active as long as the browser
session remains active.
· After successful login from the Keycloak login page always redirect to the
application welcome page (index.xhtml for instance).
Use case: A user is working in one of our secured applications, has its browser session
ended and clicks on some kind of link. The application correctly redirects this user to
the Keycloak login page. The user correctly logs in and gets taken back to where he/she
was. However, when this is an AJAX kind-of request the user sees plain XML when taken
back the application. To avoid this I would like to always redirect to the welcome page
of the application when the user logs in through the Keycloak login page. I can’t seem to
find a way to do this.
· Logout doesn’t always work well. Sometimes the Spring AntPathRequestMatcher
doesn’t correctly match our logout pattern (/sso/logout**). Therefore we’ve provided an
alternative that we’ve found in the documentation in the form of:
“https://<keycloak-url-with-port>/auth/realms/<realmName>/protocol/openid-connect/logout?redirect_uri=<Application-base-URL>
However this doesn’t always work either. There are situations, depending on
invalid rights for certain application parts where this never logs out a user.
We’ve got a Spring-security application context in XML that is roughly the same as the one
found in the documentation. And a keycloak.json file that looks like this:
{
"realm": "<realmName>",
"auth-server-url": "<keycloak-url-with-port>/auth",
"ssl-required": "all",
"truststore": "<working-truststore>",
"truststore-password":"<a-working-pwd>",
"resource": "<App1-name>",
"public-client": true,
"always-refresh-token": true
}
Due to the large number of Keycloak releases and accompanied configuration changes it’s
really hard for us to find relevant information. When we first started by creating a POC
we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not
old appears to be outdated. Just an observation.
Thanks for reading.
Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren
Disclaimer
4:53 a.m.
One of the issues was rather easily resolved. I forgot about being able to implicitly
inject an authenticationSuccessHandler in the Spring security application context. The
one from Spring Security will do just fine with property
"alwaysUseDefaultTargetUrl" set to true.
The most pressing issue for us now is being able to logout all SSO applications with one
logout. So a logout in SSO application_A should cause the other SSO applications to
prompt to the Keycloak login url upon the next request. Right now we have to wait for the
browser to expire its session naturally for that to happen.
This appears to be harder.. Unless I'm missing something again.
T
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Namens PEETERS.THOMAS (ICT)
Verzonden: vrijdag 22 juni 2018 13:13
Aan: keycloak-user(a)lists.jboss.org
Onderwerp: [keycloak-user] Keycloak 3.4.x client-url and SSO questions
Hey all,
While implementing a Keycloak based secure application set (3 internal web applications)
with Spring-Security, I’ve come upon some details that I can’t seem to find an adequate
answer to.
Our environment and implementations:
The security layer is implemented on the front-end only (for now).
JBoss EAP 6.4, JSF 2.1 Mojarra with RichFaces 4, Spring 3.2.18, Spring-security 3.2.10,
Keycloak-spring-security-adapter 3.4.1 (same as the Keycloak server being used).
What we’ve got working:
2 applications with SSL and SSO. Both redirect to the Keycloak login page. When we log
in to app1 we’re also logged in in app2, so that’s good.
What we want but can’t seem to achieve:
· Log out of app1 --> refresh of app2 should redirect to the Keycloak login
page.
At this point it seems that the user credentials remain active as long as the browser
session remains active.
· After successful login from the Keycloak login page always redirect to the
application welcome page (index.xhtml for instance).
Use case: A user is working in one of our secured applications, has its browser session
ended and clicks on some kind of link. The application correctly redirects this user to
the Keycloak login page. The user correctly logs in and gets taken back to where he/she
was. However, when this is an AJAX kind-of request the user sees plain XML when taken
back the application. To avoid this I would like to always redirect to the welcome page
of the application when the user logs in through the Keycloak login page. I can’t seem to
find a way to do this.
· Logout doesn’t always work well. Sometimes the Spring AntPathRequestMatcher
doesn’t correctly match our logout pattern (/sso/logout**). Therefore we’ve provided an
alternative that we’ve found in the documentation in the form of:
“https://<keycloak-url-with-port>/auth/realms/<realmName>/protocol/openid-connect/logout?redirect_uri=<Application-base-URL>
However this doesn’t always work either. There are situations, depending on
invalid rights for certain application parts where this never logs out a user.
We’ve got a Spring-security application context in XML that is roughly the same as the one
found in the documentation. And a keycloak.json file that looks like this:
{
"realm": "<realmName>",
"auth-server-url": "<keycloak-url-with-port>/auth",
"ssl-required": "all",
"truststore": "<working-truststore>",
"truststore-password":"<a-working-pwd>",
"resource": "<App1-name>",
"public-client": true,
"always-refresh-token": true
}
Due to the large number of Keycloak releases and accompanied configuration changes it’s
really hard for us to find relevant information. When we first started by creating a POC
we used the most recent Keycloak version (3.4.1-Final). A lot of information that is not
old appears to be outdated. Just an observation.
Thanks for reading.
Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Klik hier<https://www.hvw.fgov.be/nl/mail-disclaimer> voor onze disclaimer
Cliquez ici<https://www.hvw.fgov.be/fr/mail-disclaimer> pour notre disclaimer
Klicken Sie hier<https://www.hvw.fgov.be/de/mail-disclaimer> für unseren Disclaimer
2839
days inactive
2843
days old
1 comments
1 participants
participants (1)
-
PEETERS.THOMAS (ICT)