[keycloak-dev] can't figure this out

Bill Burke bburke at redhat.com
Thu Mar 26 13:04:40 EDT 2015


Ok, keycloak.js was not removing the fragment when parsing query params.

Some other information why this was happening *ONLY* for facebook:

http://stackoverflow.com/questions/7131909/facebook-callback-appends-to-return-url

and

http://blogs.msdn.com/b/ieinternals/archive/2011/05/17/url-fragments-and-redirects-anchor-hash-missing.aspx

Seems that an intermediary (Facebook in this instance) can add a 
fragment that then gets propagated when you redirect back, even if the 
original URL does not have a fragment!!!!....ugh...This is bollux!



On 3/26/2015 12:24 PM, Leonardo Loch Zanivan wrote:
> I had this problem with my angular app :)
> Keycloak return "redirect_fragment" param with "#_=_"
>
> On Thu, Mar 26, 2015 at 1:07 PM Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Honestly, your descriptions don't make sense at all...
>
>     1. admin console redirects to keycloak with a redirect uri of
>     /auth/admin/master/console.
>     2. Keycloak stores this redirect uri as-is, keycloak also stores "state"
>     param.
>     3. keycloak redirects to facebook
>     4. facebook redirects to keycloak callback url
>     5. keycloak builds a redirect URI back to admin console based on
>     original stored redirect uri and "state" param and "code".
>     6. keylcoak redirects back to admin console
>
>     How could Facebook insert #_=_?  Is there some browser/fragment magic
>     happening?
>
>
>     On 3/26/2015 11:44 AM, Stian Thorgersen wrote:
>      > No, we can sort it out in Keycloak as Facebook redirects to
>     Keycloak, not the application.
>      >
>      > ----- Original Message -----
>      >> From: "Leonardo Loch Zanivan" <leonardo.zanivan at gmail.com
>     <mailto:leonardo.zanivan at gmail.com>>
>      >> To: "Stian Thorgersen" <stian at redhat.com <mailto:stian at redhat.com>>
>      >> Cc: "Bill Burke" <bburke at redhat.com <mailto:bburke at redhat.com>>,
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>      >> Sent: Thursday, 26 March, 2015 4:41:50 PM
>      >> Subject: Re: [keycloak-dev] can't figure this out
>      >>
>      >> I think it would need some tweak in the JavaScript adapter.
>      >>
>      >> On Thu, Mar 26, 2015 at 12:25 PM Stian Thorgersen
>     <stian at redhat.com <mailto:stian at redhat.com>> wrote:
>      >>
>      >>> Great, so we just need to tweak the Facebook provider to strip
>     that off
>      >>> before redirecting to the app
>      >>>
>      >>> ----- Original Message -----
>      >>>> From: "Leonardo Loch Zanivan" <leonardo.zanivan at gmail.com
>     <mailto:leonardo.zanivan at gmail.com>>
>      >>>> To: "Stian Thorgersen" <stian at redhat.com
>     <mailto:stian at redhat.com>>, "Bill Burke" <
>      >>> bburke at redhat.com <mailto:bburke at redhat.com>>
>      >>>> Cc: keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      >>>> Sent: Thursday, 26 March, 2015 4:21:49 PM
>      >>>> Subject: Re: [keycloak-dev] can't figure this out
>      >>>>
>      >>>> Ops, you need to remove after keycloak success. Here is an
>     example:
>      >>>>
>      >>>> keycloakAuth.init({
>      >>>>      onLoad: 'login-required'
>      >>>> }).success(function(__authenticated) {
>      >>>>      //fix facebook oauth
>      >>>>      if (window.location.hash === '#_=_') {
>      >>>>          window.location.hash = '';
>      >>>>      }
>      >>>> });
>      >>>>
>      >>>>
>      >>>> On Thu, Mar 26, 2015 at 12:19 PM Leonardo Loch Zanivan <
>      >>>> leonardo.zanivan at gmail.com
>     <mailto:leonardo.zanivan at gmail.com>> wrote:
>      >>>>
>      >>>>> Facebook adds "#_=_" at the end of redirect URL for "security
>      >>> reasons", so
>      >>>>> SPA apps won't work unless you remove it.
>      >>>>>
>      >>>>> In Angular apps you should remove before call keycloak:
>      >>>>>
>      >>>>> if (window.location.hash === '#_=_') {
>      >>>>>      window.location.hash = '';
>      >>>>> }
>      >>>>>
>      >>>>> On Thu, Mar 26, 2015 at 12:14 PM Stian Thorgersen
>     <stian at redhat.com <mailto:stian at redhat.com>>
>      >>>>> wrote:
>      >>>>>
>      >>>>>> AFAIK Facebook is OAuth2 + custom weird stuff that looks
>     like but
>      >>> isn't
>      >>>>>> OpenID Connect
>      >>>>>>
>      >>>>>> ----- Original Message -----
>      >>>>>>> From: "Stian Thorgersen" <stian at redhat.com
>     <mailto:stian at redhat.com>>
>      >>>>>>> To: "Bill Burke" <bburke at redhat.com <mailto:bburke at redhat.com>>
>      >>>>>>> Cc: keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      >>>>>>> Sent: Thursday, 26 March, 2015 4:11:11 PM
>      >>>>>>> Subject: Re: [keycloak-dev] can't figure this out
>      >>>>>>>
>      >>>>>>> I remember seeing the '#_=_' crap a while ago, I believe
>     that was
>      >>> before
>      >>>>>>> Pedro started brokering.
>      >>>>>>>
>      >>>>>>> ----- Original Message -----
>      >>>>>>>> From: "Bill Burke" <bburke at redhat.com
>     <mailto:bburke at redhat.com>>
>      >>>>>>>> To: keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      >>>>>>>> Sent: Thursday, 26 March, 2015 2:54:27 PM
>      >>>>>>>> Subject: [keycloak-dev] can't figure this out
>      >>>>>>>>
>      >>>>>>>> I'm going crazy...  I'm testing facebook login with the admin
>      >>> console
>      >>>>>> as
>      >>>>>>>> the test app.
>      >>>>>>>>
>      >>>>>>>> 1. Facebook auth succeeds
>      >>>>>>>> 2. Redirect back to admin console
>      >>>>>>>> 3. For some reason admin console doesn't like the redirect
>     URL and
>      >>>>>> does
>      >>>>>>>> a redirect back to keycloak login with a fragment of #_=_
>      >>>>>>>> 4. I'm already logged in, so redirect back
>      >>>>>>>> 5. Success, but the fragment is #_=_
>      >>>>>>>>
>      >>>>>>>> Login works for github though...I'm freakin stumped.  The
>     initial
>      >>>>>>>> redirect back to the admin console is the same exact
>     redirect uri
>      >>> for
>      >>>>>>>> both github and facebook.
>      >>>>>>>>
>      >>>>>>>> Has anybody seen this before?
>      >>>>>>>>
>      >>>>>>>> --
>      >>>>>>>> Bill Burke
>      >>>>>>>> JBoss, a division of Red Hat
>      >>>>>>>> http://bill.burkecentral.com
>      >>>>>>>> _________________________________________________
>      >>>>>>>> keycloak-dev mailing list
>      >>>>>>>> keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      >>>>>>>> https://lists.jboss.org/__mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>      >>>>>>>>
>      >>>>>>> _________________________________________________
>      >>>>>>> keycloak-dev mailing list
>      >>>>>>> keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      >>>>>>> https://lists.jboss.org/__mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>      >>>>>>>
>      >>>>>> _________________________________________________
>      >>>>>> keycloak-dev mailing list
>      >>>>>> keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>      >>>>>> https://lists.jboss.org/__mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>      >>>>>>
>      >>>>>
>      >>>>
>      >>>
>      >>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list