[JBoss JIRA] (ARTIF-748) Web UI: Refresh to /login when Keycloak token expires
by Brett Meyer (JIRA)
[ https://issues.jboss.org/browse/ARTIF-748?page=com.atlassian.jira.plugin.... ]
Brett Meyer updated ARTIF-748:
------------------------------
Description:
If the token expires, the server spits out:
14:25:07,534 WARN [org.keycloak.events] (default task-36) type=REFRESH_TOKEN_ERROR, realmId=0c4049da-2746-468e-ab6d-49e51dd1f133, clientId=artificer-ui, userId=null, ipAddress=127.0.0.1, error=invalid_token
14:25:07,560 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-37) Refresh token failure status: 400 {"error_description":"Refresh token expired","error":"invalid_grant"}
The next time the browser makes a call to the UI services, Errai reports an uncaught GWT exception. That call *must* be protected by Keycloak, in order for our Filter to pick up the KeycloakSecurityContext and create the bearer token. However, the GWT exception shows that the Keycloak *login page* is being served on the call, so Errai's JSON marshaller barfs on the HTML.
APIMan (Angular UI) checks for a 401 response code and automatically refreshes the browser to combat this. However, I'm not sure if that's possible in this case. Our use of Errai's "Caller" pattern isn't kicking in for these errors (completely sidesteps the ErrorHandler), I'm guessing due to it being a lower level issue with the GWT marshaller.
Idea: Have a pure Javascript loop "ping" the UI services and check the response.
was:
If the token expires, the server spits out:
14:25:07,534 WARN [org.keycloak.events] (default task-36) type=REFRESH_TOKEN_ERROR, realmId=0c4049da-2746-468e-ab6d-49e51dd1f133, clientId=artificer-ui, userId=null, ipAddress=127.0.0.1, error=invalid_token
14:25:07,560 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-37) Refresh token failure status: 400 {"error_description":"Refresh token expired","error":"invalid_grant"}
The next time the browser makes a call to the UI services, Errai reports an uncaught GWT exception. That call *must* be protected by Keycloak, in order for our Filter to pick up the KeycloakSecurityContext and create the bearer token. However, the GWT exception shows that the Keycloak *login page* is being served on the call, so Errai's JSON marshaller barfs on the HTML.
APIMan checks for a 401 response code and automatically refreshes the browser to combat this. However, I'm not sure if that's possible in this case. Our use of Errai's "Caller" pattern isn't kicking in for these errors (completely sidesteps the ErrorHandler), I'm guessing due to it being a lower level issue with the GWT marshaller.
Idea: Have a pure Javascript loop "ping" the UI services and check the response.
> Web UI: Refresh to /login when Keycloak token expires
> -----------------------------------------------------
>
> Key: ARTIF-748
> URL: https://issues.jboss.org/browse/ARTIF-748
> Project: Artificer
> Issue Type: Task
> Reporter: Brett Meyer
> Assignee: Brett Meyer
>
> If the token expires, the server spits out:
> 14:25:07,534 WARN [org.keycloak.events] (default task-36) type=REFRESH_TOKEN_ERROR, realmId=0c4049da-2746-468e-ab6d-49e51dd1f133, clientId=artificer-ui, userId=null, ipAddress=127.0.0.1, error=invalid_token
> 14:25:07,560 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-37) Refresh token failure status: 400 {"error_description":"Refresh token expired","error":"invalid_grant"}
> The next time the browser makes a call to the UI services, Errai reports an uncaught GWT exception. That call *must* be protected by Keycloak, in order for our Filter to pick up the KeycloakSecurityContext and create the bearer token. However, the GWT exception shows that the Keycloak *login page* is being served on the call, so Errai's JSON marshaller barfs on the HTML.
> APIMan (Angular UI) checks for a 401 response code and automatically refreshes the browser to combat this. However, I'm not sure if that's possible in this case. Our use of Errai's "Caller" pattern isn't kicking in for these errors (completely sidesteps the ErrorHandler), I'm guessing due to it being a lower level issue with the GWT marshaller.
> Idea: Have a pure Javascript loop "ping" the UI services and check the response.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
9 years, 5 months
[JBoss JIRA] (ARTIF-748) Web UI: Refresh to /login when Keycloak token expires
by Brett Meyer (JIRA)
[ https://issues.jboss.org/browse/ARTIF-748?page=com.atlassian.jira.plugin.... ]
Brett Meyer commented on ARTIF-748:
-----------------------------------
[~eric.wittmann], thanks again for the help. Am I missing anything here?
> Web UI: Refresh to /login when Keycloak token expires
> -----------------------------------------------------
>
> Key: ARTIF-748
> URL: https://issues.jboss.org/browse/ARTIF-748
> Project: Artificer
> Issue Type: Task
> Reporter: Brett Meyer
> Assignee: Brett Meyer
>
> If the token expires, the server spits out:
> 14:25:07,534 WARN [org.keycloak.events] (default task-36) type=REFRESH_TOKEN_ERROR, realmId=0c4049da-2746-468e-ab6d-49e51dd1f133, clientId=artificer-ui, userId=null, ipAddress=127.0.0.1, error=invalid_token
> 14:25:07,560 ERROR [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-37) Refresh token failure status: 400 {"error_description":"Refresh token expired","error":"invalid_grant"}
> The next time the browser makes a call to the UI services, Errai reports an uncaught GWT exception. That call *must* be protected by Keycloak, in order for our Filter to pick up the KeycloakSecurityContext and create the bearer token. However, the GWT exception shows that the Keycloak *login page* is being served on the call, so Errai's JSON marshaller barfs on the HTML.
> APIMan checks for a 401 response code and automatically refreshes the browser to combat this. However, I'm not sure if that's possible in this case. Our use of Errai's "Caller" pattern isn't kicking in for these errors (completely sidesteps the ErrorHandler), I'm guessing due to it being a lower level issue with the GWT marshaller.
> Idea: Have a pure Javascript loop "ping" the UI services and check the response.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
9 years, 5 months