[keycloak-user] Redirect to keycloak only for certain content-types

Wed Oct 7 23:53:46 EDT 2015

It's been there for a long time, take a look at the multi tenancy example

On 7 October 2015 at 15:30, Tair Sabirgaliev <tair.sabirgaliev at bee.kz>
wrote:

> Is KeycloakConfigResolver coming in 1.6?
>
> --
> Tair Sabirgaliev
> Bee Software, LLP
>
> On October 6, 2015 at 11:32:44, Stian Thorgersen (sthorger at redhat.com)
> wrote:
>
> I'm afraid it's not possible at the moment. The only option now is to have
> two different clients and either split your application into two, or you
> can use the KeycloakConfigResolver to select the client based on the
> content type yourself. See the multi tenancy example for an idea on how to
> use it.
>
> On 2 October 2015 at 18:24, Tair Sabirgaliev <tair.sabirgaliev at bee.kz>
> wrote:
>
>>
>> Hi,
>>
>> Yes, it can be done with nginx, but I still hope this could be
>> accomplished natively :)
>>
>> The general idea is this:
>>
>> a) if browser asks for "text/html" => act as confidential/public
>> client, that is
>> start keycloak login protocol
>>
>> b) if browser asks for "application/json” => act as bearer only client,
>> and in
>> case of authorization error, respond with proper 40x status
>>
>> This would let me build an ‘isomorphic’ JavaScript application (
>> http://isomorphic.net)
>>
>> With keycloak-1.5.0 I see that there is no difference whether I accept
>> text/html or application/json:
>>
>> tair$ curl -v -H 'Accept: text/html'
>> http://localhost:9080/hello-world/rest/something
>> *   Trying ::1...
>> * connect to ::1 port 9080 failed: Connection refused
>> *   Trying 127.0.0.1...
>> * Connected to localhost (127.0.0.1) port 9080 (#0)
>> > GET /hello-world/rest/something HTTP/1.1
>> > Host: localhost:9080
>> > User-Agent: curl/7.43.0
>> > Accept: text/html
>> >
>> < HTTP/1.1 302 Found
>> < Expires: 0
>> < Cache-Control: no-cache, no-store, must-revalidate
>> < X-Powered-By: Undertow/1
>> < Set-Cookie:
>> OAuth_Token_Request_State=72/c51bad76-7236-486e-aae6-9ec58c725666
>> < Server: WildFly/9
>> < Pragma: no-cache
>> < Location:
>> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=72%2Fc51bad76-7236-486e-aae6-9ec58c725666&login=true
>> < Date: Fri, 02 Oct 2015 15:53:32 GMT
>> < Connection: keep-alive
>> < Content-Length: 0
>> <
>> * Connection #0 to host localhost left intact
>>
>> tair$ curl -v -H 'Accept: application/json'
>> http://localhost:9080/hello-world/rest/something
>> *   Trying 127.0.0.1...
>> * Connected to localhost (127.0.0.1) port 9080 (#0)
>> > GET /hello-world/rest/something HTTP/1.1
>> > Host: localhost:9080
>> > User-Agent: curl/7.43.0
>> > Accept: application/json
>> >
>> < HTTP/1.1 302 Found
>> < Expires: 0
>> < Cache-Control: no-cache, no-store, must-revalidate
>> < X-Powered-By: Undertow/1
>> < Set-Cookie:
>> OAuth_Token_Request_State=73/a8f13860-a35c-455a-9963-434c17e00a65
>> < Server: WildFly/9
>> < Pragma: no-cache
>> < Location:
>> http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=hello-world-backend&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fhello-world%2Frest%2Fsomething&state=73%2Fa8f13860-a35c-455a-9963-434c17e00a65&login=true
>> < Date: Fri, 02 Oct 2015 15:53:41 GMT
>> < Connection: keep-alive
>> < Content-Length: 0
>> <
>> * Connection #0 to host localhost left intact
>>
>> Any workarounds there?
>>
>> --
>> Tair Sabirgaliev
>> Bee Software, LLP
>>
>>
>>
>> On October 2, 2015 at 20:54:01, Giriraj Sharma (
>> giriraj.sharma27 at gmail.com(mailto:giriraj.sharma27 at gmail.com)) wrote:
>>
>> > Hi,
>> >
>> > One possible way is to put nginx as a reverse proxy in between browser
>> and Keycloak server instance. You can dig around using $content_type
>> embedded variable of nginx ngx_http_core_module or may be nginx_rewrite
>> module and a simple tweak (may be an if statement in nginx server/location
>> block config) will help you in achieving the required. Based on the value
>> of content-type header, you can proxy-pass the requests to a different
>> upstream server via nginx.
>> >
>> > Cheers,
>> >
>> >
>> > On Fri, Oct 2, 2015 at 2:19 PM, Tair Sabirgaliev wrote:
>> > >
>> > > Hi,
>> > >
>> > > Is it possible to setup login redirection only for certain content
>> types?
>> > > I want to redirect only when the browser asks for text/html. For
>> other types
>> > > either 40x or Authorization challenge.
>> > >
>> > > --
>> > > Tair Sabirgaliev
>> > > Bee Software, LLP
>> > >
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org(mailto:keycloak-user at lists.jboss.org)
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> > --
>> >
>> > Giriraj Sharma
>> > about.me/girirajsharma
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Giriraj Sharma,
>> > Department of Computer Science
>> > National Institute of Technology Hamirpur
>> > Himachal Pradesh, India 177005
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151008/36848229/attachment-0001.html 