[keycloak-dev] Kerberos with IE does not work

Michael Gerber gerbermichi at me.com
Wed Jul 29 10:37:19 EDT 2015


The ClearAuthenticationCache command deletes the following data:
- Session cookies
- sessionStorage
- HTTP Authentication (e.g. Digest or Basic HTTP credentials)
- HTTPS Client Certificates (e.g. sites that use certificates or SmartCards)

But keycloak needs the session cookie, otherwise the user has to relogin after each page reload.

Isn't the clientSecret anyway public if it is send in the Authorization header? 

Am 29. Juli 2015 um 14:27 schrieb Bill Burke <bburke at redhat.com>:

The trick you found earlier doesn't work?

http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header

Also, what if in keycloak.js if kc.clientSecret is null? Just remove 
the client secret IMO. You shouldn't be exposing the client secret as 
it is now public to everybody in the world....

On 7/29/2015 8:05 AM, Michael Gerber wrote:
I could find a solution for my IE problem.

IE overwrites the Authorization header in the XMLHttpRequest
(/protocol/openid-connect/token) with "Authorization: Negotiate".

To solve this problem, I added on the client the client_id
and client_secret to the form and changed the authorizeClient method, so
it checks first the form data instead of the authorization http header.

Have a look at my code:
https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01da4df21ee0953c

Should I create a pull request for the changes or do you have a better
solution?

cheers
Michael



Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda at redhat.com
<mailto:mposolda at redhat.com>>:

Hi Michael,

No idea if there is other solution, I've never tried SPNEGO with
Internet explorer TBH :(

Could you please create JIRA for this?

Thanks,
Marek

On 22.7.2015 10:07, Michael Gerber wrote:
Hi all

My kerberos configuration works fine with FireFox and Chrome, but it
does not work with IE.
It shows a prompt where the user has to enter a username and password.

I can successfully get an access code, but I can not get an access
token, because IE overwrites the Authorization header in the AJAX
request. (see
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces-authorization-header)

I can fix this by adding
document.execCommand('ClearAuthenticationCache', 'false');
above of
var req = new XMLHttpRequest();
approximately at the line 374 in the keycloack.js file.

Is there another solution for this problem?

cheers
Michael


_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev



_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150729/50cca412/attachment-0001.html 


More information about the keycloak-dev mailing list