[keycloak-user] Redirect to keycloak only for certain content-types
Tair Sabirgaliev
tair.sabirgaliev at bee.kz
Fri Oct 2 12:24:38 EDT 2015
Hi,
Yes, it can be done with nginx, but I still hope this could be accomplished natively :)
The general idea is this:
a) if browser asks for "text/html" => act as confidential/public client, that is
start keycloak login protocol
b) if browser asks for "application/json” => act as bearer only client, and in
case of authorization error, respond with proper 40x status
This would let me build an ‘isomorphic’ JavaScript application (http://isomorphic.net)
With keycloak-1.5.0 I see that there is no difference whether I accept text/html or application/json:
tair$ curl -v -H 'Accept: text/html' http://localhost:9080/hello-world/rest/something
* Trying ::1...
* connect to ::1 port 9080 failed: Connection refused
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: text/html
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
< Date: Fri, 02 Oct 2015 15:53:32 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact
tair$ curl -v -H 'Accept: application/json' http://localhost:9080/hello-world/rest/something
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9080 (#0)
> GET /hello-world/rest/something HTTP/1.1
> Host: localhost:9080
> User-Agent: curl/7.43.0
> Accept: application/json
>
< HTTP/1.1 302 Found
< Expires: 0
< Cache-Control: no-cache, no-store, must-revalidate
< X-Powered-By: Undertow/1
< Set-Cookie: OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
< Server: WildFly/9
< Pragma: no-cache
< Location: http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
< Date: Fri, 02 Oct 2015 15:53:41 GMT
< Connection: keep-alive
< Content-Length: 0
<
* Connection #0 to host localhost left intact
Any workarounds there?
--
Tair Sabirgaliev
Bee Software, LLP
On October 2, 2015 at 20:54:01, Giriraj Sharma (giriraj.sharma27 at gmail.com(mailto:giriraj.sharma27 at gmail.com)) wrote:
> Hi,
>
> One possible way is to put nginx as a reverse proxy in between browser and Keycloak server instance. You can dig around using $content_type embedded variable of nginx ngx_http_core_module or may be nginx_rewrite module and a simple tweak (may be an if statement in nginx server/location block config) will help you in achieving the required. Based on the value of content-type header, you can proxy-pass the requests to a different upstream server via nginx.
>
> Cheers,
>
>
> On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
> >
> > Hi,
> >
> > Is it possible to setup login redirection only for certain content types?
> > I want to redirect only when the browser asks for text/html. For other types
> > either 40x or Authorization challenge.
> >
> > --
> > Tair Sabirgaliev
> > Bee Software, LLP
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>
> Giriraj Sharma
> about.me/girirajsharma
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Giriraj Sharma,
> Department of Computer Science
> National Institute of Technology Hamirpur
> Himachal Pradesh, India 177005
More information about the keycloak-user
mailing list