5:42 p.m.
Hi all,
I am experiencing a weird behavior where Keycloak immediately logs out a
user who has just logged in. A few details:
- The Keycloak server has two realms. The issue only happens on one of
the realms. The other one works as expected.
- The configuration of both realms is pretty much identical.
- The login happens from an AngularJS app. The JS Keycloak code is
identical to the code that runs in the other realm's app.
- Keycloak has been working with almost no issues for a few months now.
This is a new behavior.
- I have examined the JWT token, and don't see anything unusual. The
"exp" claims and "iat" claims are giving the correct epoch time.
The app will accept the bearer token, make its back-end REST calls, and
then suddenly fall back to the login screen. Any ideas what might cause
behavior like this?
Thank you for your help,
--
*Roger Turnau*
PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau(a)pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us
Save energy. Save a tree. Save the printing for something really important.
______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or
entity to which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other than the intended recipient
is prohibited, and all liability arising therefrom is disclaimed. If you received this in
error, please contact the sender and delete the material from any computer.
PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This
communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
8:01 p.m.
Hello Roger,
I have got a few questions to know a little more about your situation:
* Is a single AngularJS app with multi-tenancy support or are there two codebases with
identical code but different keycloak.json files?
* Have you checked your loggings of Keycloak already to get to know where it possibly
might go wrong? Loggings would be a major help and solve most of your issues.
* Have you set the default checkLoginIframe from true to false in the init() method of the
Keycloak JS Adapter?
If you could answer these three questions, that'd be great to help you out further :)
I ran into similar problems and hopefully I can solve your's as well.
Kind regards,
Kevin
-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Namens Roger Turnau (US - Advisory)
Verzonden: vrijdag 14 april 2017 17:42
Aan: keycloak-user <keycloak-user(a)lists.jboss.org>
Onderwerp: [keycloak-user] Keycloak App Logs out in Under 1 Minute
Hi all,
I am experiencing a weird behavior where Keycloak immediately logs out a user who has just
logged in. A few details:
- The Keycloak server has two realms. The issue only happens on one of
the realms. The other one works as expected.
- The configuration of both realms is pretty much identical.
- The login happens from an AngularJS app. The JS Keycloak code is
identical to the code that runs in the other realm's app.
- Keycloak has been working with almost no issues for a few months now.
This is a new behavior.
- I have examined the JWT token, and don't see anything unusual. The
"exp" claims and "iat" claims are giving the correct epoch time.
The app will accept the bearer token, make its back-end REST calls, and then suddenly fall
back to the login screen. Any ideas what might cause behavior like this?
Thank you for your help,
--
*Roger Turnau*
PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau(a)pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202 http://www.pwc.com/us
Save energy. Save a tree. Save the printing for something really important.
______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or
entity to which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other than the intended recipient
is prohibited, and all liability arising therefrom is disclaimed. If you received this in
error, please contact the sender and delete the material from any computer.
PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This
communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:14 p.m.
Kevin,
Thanks for getting back to me. Here are the answers, and a little bit of
clarification from further investigations:
1. The realms are for two separate codebases with different keycloak
configurations, but otherwise identical keycloak code.
2. Nothing is showing up in the Keycloak logs. There are no server
errors that I can see.
3. We are not doing anything with checkLoginIFrame in our initialization
code.
Looking under the hood at the Javascript adapter, we found that the token
was being revoked by the following code:
if (event.data != "unchanged") {
kc.clearToken();
}
I notice that that happens in the message callback created when the
iframe is set up. I assume that means that setting checkLoginIFrame to
false in our configuration will fix the issue. Is that correct?
Thanks again,
Roger Turnau
On Fri, Apr 14, 2017 at 2:01 PM, Kevin Berendsen <
kevin.berendsen(a)pharmapartners.nl> wrote:
--
*Roger Turnau*
PwC | Manager - Advisory Financial Services
Mobile: 850-228-2006
Email: roger.turnau(a)pwc.com
PricewaterhouseCoopers LLP
50 North Laura Street, Suite 3000, Jacksonville FL 32202
http://www.pwc.com/us
Save energy. Save a tree. Save the printing for something really important.
______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or
entity to which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other than the intended recipient
is prohibited, and all liability arising therefrom is disclaimed. If you received this in
error, please contact the sender and delete the material from any computer.
PricewaterhouseCoopers LLP is a Delaware limited liability partnership. This
communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.
2892
days inactive
2892
days old
2 comments
2 participants
participants (2)
-
Kevin Berendsen -
Roger Turnau (US - Advisory)