[keycloak-dev] Kerberos with IE does not work

Bill Burke bburke at redhat.com
Wed Jul 29 08:27:07 EDT 2015


The trick you  found earlier doesn't work?

http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header

Also, what if in keycloak.js if kc.clientSecret is null?  Just remove 
the client secret IMO.  You shouldn't be exposing the client secret as 
it is now public to everybody in the world....

On 7/29/2015 8:05 AM, Michael Gerber wrote:
> I could find a solution for my IE problem.
>
> IE overwrites the Authorization header in the XMLHttpRequest
> (/protocol/openid-connect/token) with "Authorization: Negotiate".
>
> To solve this problem, I added on the client the client_id
> and client_secret to the form and changed the authorizeClient method, so
> it checks first the form data instead of the authorization http header.
>
> Have a look at my code:
> https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c
>
> Should I create a pull request for the changes or do you have a better
> solution?
>
> cheers
> Michael
>
>
>
> Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>>:
>
>> Hi Michael,
>>
>> No idea if there is other solution, I've never tried SPNEGO with
>> Internet explorer TBH :(
>>
>> Could you please create JIRA for this?
>>
>> Thanks,
>> Marek
>>
>> On 22.7.2015 10:07, Michael Gerber wrote:
>>> Hi all
>>>
>>> My kerberos configuration works fine with FireFox and Chrome, but it
>>> does not work with IE.
>>> It shows a prompt where the user has to enter a username and password.
>>>
>>> I can successfully get an access code, but I can not get an access
>>> token, because IE overwrites the Authorization header in the AJAX
>>> request. (see
>>> http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header)
>>>
>>> I can fix this by adding
>>> document.execCommand('ClearAuthenticationCache', 'false');
>>> above of
>>> var req = new XMLHttpRequest();
>>> approximately at the line 374 in the keycloack.js file.
>>>
>>> Is there another solution for this problem?
>>>
>>> cheers
>>> Michael
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list