[keycloak-user] Authentication from embedded webpage

Subhrajyoti Moitra subhrajyotim at gmail.com
Thu Apr 7 06:08:10 EDT 2016


It worked .. It Worked...!!!! awesome..

Thanks a lot Marek and Stian for your patience and time.
Really appreciate your help in fixing this issue.

Thanks and regards,
Subhro.

On Thu, Apr 7, 2016 at 3:23 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Ah, it's maybe login iframe which is causing issues for you. Given the
> nature of your app and the fact that you're not using SSO anyway in
> embedded IE, I suggest to disable login iframe by add this option to your
> "kcInitObj" too:
>
> checkLoginIframe: false
>
>
> Besides that, it seems that we have a minor bug in keycloak.js that
> callbacks are not called when you provide "tokens", but not "onLoad" and
> IFrame is not working. Created JIRA :
> https://issues.jboss.org/browse/KEYCLOAK-2765
>
> Marek
>
> On 07/04/16 11:22, Subhrajyoti Moitra wrote:
>
> Hello Marek,
>
> I actually hadnt shown the starting script tag in the code snippet above.
> :)
>
> I checked using a debugger that the kcInitObj values are going into the
> init method correctly.
> Do I have to call some other function after init call?
> Somehow, when I skip the onLoad option, success/error methods are never
> called.
> I notice that call to this url is being made and nothing after that,
>
>
> http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080
>
> Does version of KC matter, I am using 1.5.1.Final?
>
> I am attaching the index.jsp for reference, since this is the file I am
> experimenting with.
> This is just an example to check if things are working or not.
>
> Thanks a lot for taking time to look into this. Really appreciate it.
>
> Thanks,
> Subhro.
>
>
>
>
>
>
> On Thu, Apr 7, 2016 at 1:36 PM, Marek Posolda <mposolda at redhat.com> wrote:
>
>> I think that you don't need to use "onLoad" option at all because you
>> passed tokens. So you can just use something like:
>>
>> var kcInitObj={
>>     token:'<%=token%>',
>>     refreshToken:'<%=refreshToken%>',
>>     idToken:'<%=idToken%>'};
>>
>>
>> Besides that, I can see that you added tag "<script>" after the kcInitObj
>> is initialized. Unless I am missing something (previous snippet of your
>> page etc), you will need to first add tag "<script>" and then initialize
>> kcInitObj inside that as it's javascript object.
>>
>> If you have some javascript debugger (for example Firebug on FF) you can
>> add breakpoint before keycloak.init call and check that "kcInitOptions"
>> look as expected and really contain the 3 tokens you passed above.
>>
>> Marek
>>
>>
>> On 07/04/16 08:19, Subhrajyoti Moitra wrote:
>>
>> Hello Stian and Marek,
>>
>> Thanks for the clarification.
>> I am not sure what u mean by "invoke that yourself and initialize
>> keycloak.js with the tokens afterwards". U mean in the new KeyCloak(...)
>> constructor I pass the tokens and other values?
>>
>> " authenticate with both LDAP and Keycloak in the first place...."
>>
>> - The desktop windows application is a old legacy application(custom
>> dialer) used to connect to Aspect Telephony server. This Aspect server
>> requires the AD login so that agents using this dialer is connected to
>> Aspect. So I dont know how I can avoid this.
>> - There is no way to pass the username/pass from the embedded KC page to
>> the "parent" windows application. Not sure if some workaround is possible
>> in the local application or not.
>>
>> Please help.
>>
>> Thanks,
>> Subhro.
>>
>>
>>
>>
>>
>> On Thu, Apr 7, 2016 at 11:18 AM, Stian Thorgersen < <sthorger at redhat.com>
>> sthorger at redhat.com> wrote:
>>
>>> keycloak.js doesn't support direct grant and we won't add it. You'd have
>>> to invoke that yourself and initialize keycloak.js with the tokens
>>> afterwards.
>>>
>>> Why do you need to authenticate with both LDAP and Keycloak in the first
>>> place? In either case I'd say a better way would be to use what Marek
>>> suggests as option 2. User can enter username/password in embedded Keycloak
>>> login page instead of popup box. Using the embedded login page has a number
>>> of benefits over direct grant. For example required actions, recover
>>> password support, etc, etc..
>>>
>>> On 7 April 2016 at 07:07, Subhrajyoti Moitra < <subhrajyotim at gmail.com>
>>> subhrajyotim at gmail.com> wrote:
>>>
>>>> Hello Marek,
>>>>
>>>> What is the value of onLoad during keycloak init() function?
>>>> I tried both check-sso and login-required, but it still is showing the
>>>> kc login page.
>>>>
>>>> Heres what I did.
>>>> Using java code I get a direct access grant tokens. I get response from
>>>> this code as something below.
>>>>
>>>> {"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah
>>>> blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"}
>>>>
>>>> Then I am hitting the jsp page.
>>>> <http://localhost:8080/myapp/index.jsp?tokenJson=>
>>>> http://localhost:8080/myapp/index.jsp?tokenJson=
>>>> <theabovejsonstring-cut-and-pasted>
>>>>
>>>> In index.jsp I extract the tokenJson param and parse the json to
>>>> further extract the accessToken, idToken and refreshToken.
>>>>
>>>> A code snippet in index.jsp, like the below generates the keycloak init
>>>> obj.
>>>>
>>>> <%String iaJsonStr =request.getParameter("tokenJson");//get the token json from urlString token="",idToken="",refreshToken="";//init the valuesif(!StringUtils.isEmpty(iaJsonStr)){    JsonObject iaJsonObj = Json.createReader(new StringReader(iaJsonStr)).readObject();    token=iaJsonObj.getString("access_token");//extract access    refreshToken=iaJsonObj.getString("refresh_token");//extract refresh    idToken=iaJsonObj.getString("id_token");//extract id}
>>>> if(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(refreshToken) && !StringUtils.isEmpty(idToken)){%>var kcInitObj={
>>>>     onLoad:'check-sso',
>>>>     token:'<%=token%>',
>>>>     refreshToken:'<%=refreshToken%>',
>>>>     idToken:'<%=idToken%>'};<%}else{%>var kcInitObj={
>>>>     onLoad:'check-sso'};<%}%>
>>>>
>>>> .......
>>>> .....
>>>>
>>>> <script>
>>>>        var keycloak = Keycloak('/myapp/keycloak-dev.json');
>>>>    keycloak.init(kcInitObj).success(function(authenticated) {
>>>>           if(!authenticated){
>>>>               keycloak.login();
>>>>           }else{
>>>>
>>>>             //call loadProfile and get the user details.
>>>>
>>>>           ).error(....)
>>>>
>>>> </script>
>>>>
>>>>
>>>> This is still redirecting me to the login page. Do I have to do
>>>> something in the client setup?
>>>>
>>>> So close,, yet so far... Please help..
>>>>
>>>> Thanks and lot for your attention.
>>>> Subhro.
>>>>
>>>>
>>>> On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra <
>>>> <subhrajyotim at gmail.com>subhrajyotim at gmail.com> wrote:
>>>>
>>>>> Thanks a million Marek for setting us in the right direction.
>>>>>
>>>>> "...application is able to access the javascript state from embedded
>>>>> IE"- this is not possible currently, hence 1st solution wont work.
>>>>>
>>>>> We will follow the 2nd way to do this.
>>>>>
>>>>> So using "direct access grant
>>>>> <http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-access-grants.html>"
>>>>> i get the required JSON token data as mentioned.
>>>>> Then I pass this data to the jsp page (embedded in IE), using URL
>>>>> params.
>>>>> The JSP page pulls out the required data from the URL params, and then
>>>>> inits keycloak.js.
>>>>> in keycloak init function i pass the token, idToken and refreshToken
>>>>> values.
>>>>>
>>>>> Hopefully this works, trying it now!
>>>>>
>>>>> Thanks a lot again for the pointers.
>>>>>
>>>>> Subhro.
>>>>>
>>>>> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda < <mposolda at redhat.com>
>>>>> mposolda at redhat.com> wrote:
>>>>>
>>>>>> Do you have the "control" under the application? Is it possible to
>>>>>> propagate security contexts from application to embedded IE or viceversa?
>>>>>>
>>>>>> In theory what can work is either:
>>>>>> - You will skip step1 and don't popup username/password box. Instead
>>>>>> you will just authenticate in step2 inside IE and then propagate the
>>>>>> context ( token ) to step1. This is possible just if application is able to
>>>>>> access the javascript state from embedded IE.
>>>>>>
>>>>>> - If you can propagate just from desktop to IE, then in step1 you
>>>>>> wwill configure your application to send the request for username/password
>>>>>> authentication to Keycloak via direct access grant (instead of sending
>>>>>> username+password directly to AD/LDAP). Once you receive token from direct
>>>>>> access grant, you can use it inside IE in step2 ( keycloak.js has
>>>>>> possibility to be initialized with token. You just need to pass the token
>>>>>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't
>>>>>> redirect you to login screen )
>>>>>>
>>>>>> Marek
>>>>>>
>>>>>>
>>>>>> On 06/04/16 11:24, Subhrajyoti Moitra wrote:
>>>>>>
>>>>>> Hello Team,
>>>>>>
>>>>>> I have a standalone windows desktop application, that authenticates
>>>>>> against an AD/LDAP server. The application popups a username/password box,
>>>>>> and submits it to the LDAP for authentication.
>>>>>> The same AD/LDAP server is also synced with a Keycloak installation.
>>>>>>
>>>>>> The windows application embeds the IE browser control and shows a jsp
>>>>>> page.
>>>>>> This jsp page is protected using keycloak js adapter. Obviously the
>>>>>> user is re-directed to the keycloak login page. So the user has to login
>>>>>> twice, once using the application popup and other in the embedded jsp,
>>>>>> after getting redirected to the keycloak login page.
>>>>>>
>>>>>> I dont want to re-prompt the user for relogin, since he has already
>>>>>> authenticated against the AD server.
>>>>>> Is there a way to not re-prompt the user, when the embedded IE
>>>>>> requests the secure JSP?
>>>>>>
>>>>>> Please help, as we are not able to come up with a solution for the
>>>>>> same.
>>>>>> Any pointers how we can avoid the 2nd authentication.
>>>>>>
>>>>>> Thanks,
>>>>>> Subhro.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/1da491c0/attachment-0001.html 


More information about the keycloak-user mailing list