[keycloak-dev] can't figure this out
Bill Burke
bburke at redhat.com
Thu Mar 26 13:04:40 EDT 2015
Ok, keycloak.js was not removing the fragment when parsing query params.
Some other information why this was happening *ONLY* for facebook:
http://stackoverflow.com/questions/7131909/facebook-callback-appends-to-return-url
and
http://blogs.msdn.com/b/ieinternals/archive/2011/05/17/url-fragments-and-redirects-anchor-hash-missing.aspx
Seems that an intermediary (Facebook in this instance) can add a
fragment that then gets propagated when you redirect back, even if the
original URL does not have a fragment!!!!....ugh...This is bollux!
On 3/26/2015 12:24 PM, Leonardo Loch Zanivan wrote:
> I had this problem with my angular app :)
> Keycloak return "redirect_fragment" param with "#_=_"
>
> On Thu, Mar 26, 2015 at 1:07 PM Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
> Honestly, your descriptions don't make sense at all...
>
> 1. admin console redirects to keycloak with a redirect uri of
> /auth/admin/master/console.
> 2. Keycloak stores this redirect uri as-is, keycloak also stores "state"
> param.
> 3. keycloak redirects to facebook
> 4. facebook redirects to keycloak callback url
> 5. keycloak builds a redirect URI back to admin console based on
> original stored redirect uri and "state" param and "code".
> 6. keylcoak redirects back to admin console
>
> How could Facebook insert #_=_? Is there some browser/fragment magic
> happening?
>
>
> On 3/26/2015 11:44 AM, Stian Thorgersen wrote:
> > No, we can sort it out in Keycloak as Facebook redirects to
> Keycloak, not the application.
> >
> > ----- Original Message -----
> >> From: "Leonardo Loch Zanivan" <leonardo.zanivan at gmail.com
> <mailto:leonardo.zanivan at gmail.com>>
> >> To: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>
> >> Cc: "Bill Burke" <bburke at redhat.com <mailto:bburke at redhat.com>>,
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >> Sent: Thursday, 26 March, 2015 4:41:50 PM
> >> Subject: Re: [keycloak-dev] can't figure this out
> >>
> >> I think it would need some tweak in the JavaScript adapter.
> >>
> >> On Thu, Mar 26, 2015 at 12:25 PM Stian Thorgersen
> <stian at redhat.com <mailto:stian at redhat.com>> wrote:
> >>
> >>> Great, so we just need to tweak the Facebook provider to strip
> that off
> >>> before redirecting to the app
> >>>
> >>> ----- Original Message -----
> >>>> From: "Leonardo Loch Zanivan" <leonardo.zanivan at gmail.com
> <mailto:leonardo.zanivan at gmail.com>>
> >>>> To: "Stian Thorgersen" <stian at redhat.com
> <mailto:stian at redhat.com>>, "Bill Burke" <
> >>> bburke at redhat.com <mailto:bburke at redhat.com>>
> >>>> Cc: keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> >>>> Sent: Thursday, 26 March, 2015 4:21:49 PM
> >>>> Subject: Re: [keycloak-dev] can't figure this out
> >>>>
> >>>> Ops, you need to remove after keycloak success. Here is an
> example:
> >>>>
> >>>> keycloakAuth.init({
> >>>> onLoad: 'login-required'
> >>>> }).success(function(__authenticated) {
> >>>> //fix facebook oauth
> >>>> if (window.location.hash === '#_=_') {
> >>>> window.location.hash = '';
> >>>> }
> >>>> });
> >>>>
> >>>>
> >>>> On Thu, Mar 26, 2015 at 12:19 PM Leonardo Loch Zanivan <
> >>>> leonardo.zanivan at gmail.com
> <mailto:leonardo.zanivan at gmail.com>> wrote:
> >>>>
> >>>>> Facebook adds "#_=_" at the end of redirect URL for "security
> >>> reasons", so
> >>>>> SPA apps won't work unless you remove it.
> >>>>>
> >>>>> In Angular apps you should remove before call keycloak:
> >>>>>
> >>>>> if (window.location.hash === '#_=_') {
> >>>>> window.location.hash = '';
> >>>>> }
> >>>>>
> >>>>> On Thu, Mar 26, 2015 at 12:14 PM Stian Thorgersen
> <stian at redhat.com <mailto:stian at redhat.com>>
> >>>>> wrote:
> >>>>>
> >>>>>> AFAIK Facebook is OAuth2 + custom weird stuff that looks
> like but
> >>> isn't
> >>>>>> OpenID Connect
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Stian Thorgersen" <stian at redhat.com
> <mailto:stian at redhat.com>>
> >>>>>>> To: "Bill Burke" <bburke at redhat.com <mailto:bburke at redhat.com>>
> >>>>>>> Cc: keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> >>>>>>> Sent: Thursday, 26 March, 2015 4:11:11 PM
> >>>>>>> Subject: Re: [keycloak-dev] can't figure this out
> >>>>>>>
> >>>>>>> I remember seeing the '#_=_' crap a while ago, I believe
> that was
> >>> before
> >>>>>>> Pedro started brokering.
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Bill Burke" <bburke at redhat.com
> <mailto:bburke at redhat.com>>
> >>>>>>>> To: keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> >>>>>>>> Sent: Thursday, 26 March, 2015 2:54:27 PM
> >>>>>>>> Subject: [keycloak-dev] can't figure this out
> >>>>>>>>
> >>>>>>>> I'm going crazy... I'm testing facebook login with the admin
> >>> console
> >>>>>> as
> >>>>>>>> the test app.
> >>>>>>>>
> >>>>>>>> 1. Facebook auth succeeds
> >>>>>>>> 2. Redirect back to admin console
> >>>>>>>> 3. For some reason admin console doesn't like the redirect
> URL and
> >>>>>> does
> >>>>>>>> a redirect back to keycloak login with a fragment of #_=_
> >>>>>>>> 4. I'm already logged in, so redirect back
> >>>>>>>> 5. Success, but the fragment is #_=_
> >>>>>>>>
> >>>>>>>> Login works for github though...I'm freakin stumped. The
> initial
> >>>>>>>> redirect back to the admin console is the same exact
> redirect uri
> >>> for
> >>>>>>>> both github and facebook.
> >>>>>>>>
> >>>>>>>> Has anybody seen this before?
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Bill Burke
> >>>>>>>> JBoss, a division of Red Hat
> >>>>>>>> http://bill.burkecentral.com
> >>>>>>>> _________________________________________________
> >>>>>>>> keycloak-dev mailing list
> >>>>>>>> keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> >>>>>>>> https://lists.jboss.org/__mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >>>>>>>>
> >>>>>>> _________________________________________________
> >>>>>>> keycloak-dev mailing list
> >>>>>>> keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> >>>>>>> https://lists.jboss.org/__mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >>>>>>>
> >>>>>> _________________________________________________
> >>>>>> keycloak-dev mailing list
> >>>>>> keycloak-dev at lists.jboss.org
> <mailto:keycloak-dev at lists.jboss.org>
> >>>>>> https://lists.jboss.org/__mailman/listinfo/keycloak-dev
> <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list