[keycloak-dev] can't figure this out
Bill Burke
bburke at redhat.com
Thu Mar 26 12:07:42 EDT 2015
Honestly, your descriptions don't make sense at all...
1. admin console redirects to keycloak with a redirect uri of
/auth/admin/master/console.
2. Keycloak stores this redirect uri as-is, keycloak also stores "state"
param.
3. keycloak redirects to facebook
4. facebook redirects to keycloak callback url
5. keycloak builds a redirect URI back to admin console based on
original stored redirect uri and "state" param and "code".
6. keylcoak redirects back to admin console
How could Facebook insert #_=_? Is there some browser/fragment magic
happening?
On 3/26/2015 11:44 AM, Stian Thorgersen wrote:
> No, we can sort it out in Keycloak as Facebook redirects to Keycloak, not the application.
>
> ----- Original Message -----
>> From: "Leonardo Loch Zanivan" <leonardo.zanivan at gmail.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: "Bill Burke" <bburke at redhat.com>, keycloak-dev at lists.jboss.org
>> Sent: Thursday, 26 March, 2015 4:41:50 PM
>> Subject: Re: [keycloak-dev] can't figure this out
>>
>> I think it would need some tweak in the JavaScript adapter.
>>
>> On Thu, Mar 26, 2015 at 12:25 PM Stian Thorgersen <stian at redhat.com> wrote:
>>
>>> Great, so we just need to tweak the Facebook provider to strip that off
>>> before redirecting to the app
>>>
>>> ----- Original Message -----
>>>> From: "Leonardo Loch Zanivan" <leonardo.zanivan at gmail.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>, "Bill Burke" <
>>> bburke at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, 26 March, 2015 4:21:49 PM
>>>> Subject: Re: [keycloak-dev] can't figure this out
>>>>
>>>> Ops, you need to remove after keycloak success. Here is an example:
>>>>
>>>> keycloakAuth.init({
>>>> onLoad: 'login-required'
>>>> }).success(function(authenticated) {
>>>> //fix facebook oauth
>>>> if (window.location.hash === '#_=_') {
>>>> window.location.hash = '';
>>>> }
>>>> });
>>>>
>>>>
>>>> On Thu, Mar 26, 2015 at 12:19 PM Leonardo Loch Zanivan <
>>>> leonardo.zanivan at gmail.com> wrote:
>>>>
>>>>> Facebook adds "#_=_" at the end of redirect URL for "security
>>> reasons", so
>>>>> SPA apps won't work unless you remove it.
>>>>>
>>>>> In Angular apps you should remove before call keycloak:
>>>>>
>>>>> if (window.location.hash === '#_=_') {
>>>>> window.location.hash = '';
>>>>> }
>>>>>
>>>>> On Thu, Mar 26, 2015 at 12:14 PM Stian Thorgersen <stian at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> AFAIK Facebook is OAuth2 + custom weird stuff that looks like but
>>> isn't
>>>>>> OpenID Connect
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
>>>>>>> To: "Bill Burke" <bburke at redhat.com>
>>>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>>>> Sent: Thursday, 26 March, 2015 4:11:11 PM
>>>>>>> Subject: Re: [keycloak-dev] can't figure this out
>>>>>>>
>>>>>>> I remember seeing the '#_=_' crap a while ago, I believe that was
>>> before
>>>>>>> Pedro started brokering.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>>>> Sent: Thursday, 26 March, 2015 2:54:27 PM
>>>>>>>> Subject: [keycloak-dev] can't figure this out
>>>>>>>>
>>>>>>>> I'm going crazy... I'm testing facebook login with the admin
>>> console
>>>>>> as
>>>>>>>> the test app.
>>>>>>>>
>>>>>>>> 1. Facebook auth succeeds
>>>>>>>> 2. Redirect back to admin console
>>>>>>>> 3. For some reason admin console doesn't like the redirect URL and
>>>>>> does
>>>>>>>> a redirect back to keycloak login with a fragment of #_=_
>>>>>>>> 4. I'm already logged in, so redirect back
>>>>>>>> 5. Success, but the fragment is #_=_
>>>>>>>>
>>>>>>>> Login works for github though...I'm freakin stumped. The initial
>>>>>>>> redirect back to the admin console is the same exact redirect uri
>>> for
>>>>>>>> both github and facebook.
>>>>>>>>
>>>>>>>> Has anybody seen this before?
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bill Burke
>>>>>>>> JBoss, a division of Red Hat
>>>>>>>> http://bill.burkecentral.com
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>
>>>>
>>>
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list