[keycloak-dev] Kerberos with IE does not work

Marek Posolda mposolda at redhat.com
Tue Aug 4 10:16:39 EDT 2015 

Thanks for the confirm!

I've added the patch to keycloak master and will be available in 1.5. 
I've also resolved jira https://issues.jboss.org/browse/KEYCLOAK-1595 .

Thanks,
Marek

On 4.8.2015 07:58, Michael Gerber wrote:
> Hi Marek,
>
> Your proposed patch works perfectly fine.
> IE only overwrites the header for the keycloak REST services, the 
> other REST services work fine.
>
> Thank you for your help.
> Michael
>
> Am 03. August 2015 um 13:36 schrieb Marek Posolda <mposolda at redhat.com>:
>
>> On 29.7.2015 16:37, Michael Gerber wrote:
>>> The ClearAuthenticationCache command deletes the following data:
>>> - Session cookies
>>> - sessionStorage
>>> - HTTP Authentication (e.g. Digest or Basic HTTP credentials)
>>> - HTTPS Client Certificates (e.g. sites that use certificates or 
>>> SmartCards)
>>>
>>> But keycloak needs the session cookie, otherwise the user has to 
>>> relogin after each page reload.
>>>
>>> Isn't the clientSecret anyway public if it is send in the 
>>> Authorization header?
>> Yes, it is for JS clients. That's why it's better to not use 
>> clientSecret with javascript based clients, but instead mark those 
>> clients as "public" in keycloak admin console. In this case 
>> keycloak.js will use client_id parameter instead of Authorization 
>> header. Can this work for you?
>>
>> Thing is, that currently AuthorizeClientUtil will likely 
>> automatically send 401 if it found "Authorization: Negotiate ..." 
>> header even if you have public client and you want to use client_id 
>> (I did not test it, but guessing from looking at the code). So I've 
>> created the simple patch to avoid it: 
>> https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454354aa891903
>>
>> So if you do the steps like:
>> 1) make your client as public
>> 2) Apply my patch
>>
>> will it help?
>>
>> I am still seeing potential issues if your javascript client needs to 
>> send REST requests authorized by "Authorization: Bearer" header with 
>> accessToken. Not sure if IE doesn't again overwrite the header with 
>> "Authorization: Negotiate". In this case REST request would fail. But 
>> hopefully not... If you have opportunity to try it, it will be cool.
>>
>> Thanks,
>> Marek
>>
>>>
>>> Am 29. Juli 2015 um 14:27 schrieb Bill Burke <bburke at redhat.com>:
>>>
>>>> The trick you found earlier doesn't work?
>>>>
>>>> http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header
>>>>
>>>> Also, what if in keycloak.js if kc.clientSecret is null? Just remove
>>>> the client secret IMO. You shouldn't be exposing the client secret as
>>>> it is now public to everybody in the world....
>>>>
>>>> On 7/29/2015 8:05 AM, Michael Gerber wrote:
>>>>> I could find a solution for my IE problem.
>>>>>
>>>>> IE overwrites the Authorization header in the XMLHttpRequest
>>>>> (/protocol/openid-connect/token) with "Authorization: Negotiate".
>>>>>
>>>>> To solve this problem, I added on the client the client_id
>>>>> and client_secret to the form and changed the authorizeClient 
>>>>> method, so
>>>>> it checks first the form data instead of the authorization http 
>>>>> header.
>>>>>
>>>>> Have a look at my code:
>>>>> https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c
>>>>>
>>>>> Should I create a pull request for the changes or do you have a better
>>>>> solution?
>>>>>
>>>>> cheers
>>>>> Michael
>>>>>
>>>>>
>>>>>
>>>>> Am 22. Juli 2015 um 11:46 schrieb Marek Posolda 
>>>>> <mposolda at redhat.com <mailto:mposolda at redhat.com>
>>>>> <mailto:mposolda at redhat.com>>:
>>>>>
>>>>>> Hi Michael,
>>>>>>
>>>>>> No idea if there is other solution, I've never tried SPNEGO with
>>>>>> Internet explorer TBH :(
>>>>>>
>>>>>> Could you please create JIRA for this?
>>>>>>
>>>>>> Thanks,
>>>>>> Marek
>>>>>>
>>>>>> On 22.7.2015 10:07, Michael Gerber wrote:
>>>>>>> Hi all
>>>>>>>
>>>>>>> My kerberos configuration works fine with FireFox and Chrome, but it
>>>>>>> does not work with IE.
>>>>>>> It shows a prompt where the user has to enter a username and 
>>>>>>> password.
>>>>>>>
>>>>>>> I can successfully get an access code, but I can not get an access
>>>>>>> token, because IE overwrites the Authorization header in the AJAX
>>>>>>> request. (see
>>>>>>> http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header)
>>>>>>>
>>>>>>> I can fix this by adding
>>>>>>> document.execCommand('ClearAuthenticationCache', 'false');
>>>>>>> above of
>>>>>>> var req = new XMLHttpRequest();
>>>>>>> approximately at the line 374 in the keycloack.js file.
>>>>>>>
>>>>>>> Is there another solution for this problem?
>>>>>>>
>>>>>>> cheers
>>>>>>> Michael
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>> -- 
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150804/88ca9208/attachment-0001.html

More information about the keycloak-dev mailing list