11:38 a.m.
Hi,
we have a use-case for the KeycloakInstalled adapter, but this does not
work as expected; after login in the desktop application, there is no SSO
to the web-applications.
I have traced this to an open issue created for keycloak 4.x:
KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie not getting set (KEYCLOAK-8137
<https://issues.jboss.org/browse/KEYCLOAK-8137>)
and a closed pull request https://github.com/keycloak/keycloak/pull/5607
I'm using keycloak version 6.0.1, here is a procedure to reproduce this
issue:
- use
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/c...
to login to keycloak
- do not close the browser and open /auth/realms/demo/account/ in a new
tab
I expect that the account page opens without login, but this is not the
case, keycloak present the login page.
Is there a reason that the pull request was closed without merging it?
There is a comment "my vote is to postpone this and merge it in early 5.x,
so we have time to fix potential regressions/side-effects in 5.x " and "we
need to understand this a bit better", but no explanation why the cookies
are (should be) removed by the delegate page.
If this cannot be solved, we'll need a workaround.
I'm thinking in the direction of creating our own version of the
KeycloakInstalled adapter and use a simple "login web-application" in front
of keycloak...
Is this a good approach or are there better ways to accomplish this?
Kind regards
Boris
--
**** DISCLAIMER
<https://media.tvh.com/content/pdf/various/Email-disclaimer.pdf> ****
This
message is delivered to all addressees subject to the conditions set forth
in the attached disclaimer, which is an integral part of this message.
When you communicate with us via e-mail, telephone, fax or via our website,
we process your personal data. For more information on how we process your
personal data, please consult our Privacy Policy
<https://www.tvh.com/privacy-policy>. By communicating with us, you
unambiguously consent to our use of your personal data as explained in the
Privacy Policy.
7:39 a.m.
The proper solution to this issue is to revert KeycloakInstalled to not use
the text-based authentication flows (see dev mailing I'm proposing we
remove that completely).
Not 100% sure how it decides to use the text-based authentication flow, but
it seems that's the issue as it shouldn't use that flow obvoiusly when it's
login via a web browser.
On Thu, 5 Sep 2019 at 17:40, Boris Matthys <boris.matthys(a)tvh.com> wrote:
Hi,
we have a use-case for the KeycloakInstalled adapter, but this does not
work as expected; after login in the desktop application, there is no SSO
to the web-applications.
I have traced this to an open issue created for keycloak 4.x:
KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie not getting set
(KEYCLOAK-8137
<https://issues.jboss.org/browse/KEYCLOAK-8137>)
and a closed pull request https://github.com/keycloak/keycloak/pull/5607
I'm using keycloak version 6.0.1, here is a procedure to reproduce this
issue:
- use
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/c...
to login to keycloak
- do not close the browser and open /auth/realms/demo/account/ in a new
tab
I expect that the account page opens without login, but this is not the
case, keycloak present the login page.
Is there a reason that the pull request was closed without merging it?
There is a comment "my vote is to postpone this and merge it in early 5.x,
so we have time to fix potential regressions/side-effects in 5.x " and "we
need to understand this a bit better", but no explanation why the cookies
are (should be) removed by the delegate page.
If this cannot be solved, we'll need a workaround.
I'm thinking in the direction of creating our own version of the
KeycloakInstalled adapter and use a simple "login web-application" in front
of keycloak...
Is this a good approach or are there better ways to accomplish this?
Kind regards
Boris
--
**** DISCLAIMER
<https://media.tvh.com/content/pdf/various/Email-disclaimer.pdf> ****
This
message is delivered to all addressees subject to the conditions set forth
in the attached disclaimer, which is an integral part of this message.
When you communicate with us via e-mail, telephone, fax or via our
website,
we process your personal data. For more information on how we process your
personal data, please consult our Privacy Policy
<https://www.tvh.com/privacy-policy>;. By communicating with us, you
unambiguously consent to our use of your personal data as explained in the
Privacy Policy.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1692
days inactive
1693
days old
1 comments
2 participants
participants (2)
-
Boris Matthys -
Stian Thorgersen