[keycloak-user] Question about the javascript-adapter and the check-sso option with a confidential client

Marek Posolda mposolda at redhat.com
Tue Jun 28 02:00:56 EDT 2016


Not sure why prompt=none doesn't work as expected...

Are you manually opening this URL? Maybe it will help if you url-encode 
the value of redirect_uri parameter (in your example it's not encoded).

Marek

On 27/06/16 15:38, LEONARDO NUNES wrote:
> Marek, I tried to manually call keycloak login url with prompt=none 
> but it didn't redirect back to my redirect_uri, instead it stayed at 
> the login page.
> Below is an example of the login url i'm calling.
>
> http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&*prompt=none*
>
> I need an URL to call to know if the user is logged in or not without 
> being redirected to the login page.
> I need this because KeycloakSecurityContext is not available at not 
> restricted URLs.
>
>
> -- 
> Leonardo Nunes
>
>
> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
> Date: segunda-feira, 27 de junho de 2016 09:07
> To: Tomás García <tomas at intrahouse.com <mailto:tomas at intrahouse.com>>, 
> "keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>" 
> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Question about the javascript-adapter and 
> the check-sso option with a confidential client
>
> I think your possibilities are either:
> - Use different client for keycloak.js (public client) and different 
> client for your confidential servlet application
> - Don't use keycloak.js at all, but instead do some HTTP Filter to 
> deal with "autologin" . You will manually try to redirect to keycloak 
> with "prompt=none" . If user is not logged, keycloak will redirect 
> back to the callback redirect_uri, where you recognize if there is 
> "code" or "error" parameter and based on that, you know if user is 
> logged or not. If user is logged, you can redirect to secured URL to 
> properly trigger authentication process (maybe you can optimize this 
> step by reuse the "code", which you already have and directly open the 
> secured URI with it, but I am not 100% sure if it works with 
> considering that you also need correct "state" etc.) Otherwise, you 
> can set some state or something, to recognize that autologin has been 
> already unsuccessfully tried.
>
> Maybe you can create JIRA to request support "autologin" for other 
> types of clients then public keycloak.js clients.
>
> Marek
>
> On 25/06/16 11:44, Tomás García wrote:
>>
>> Hi,
>>
>>  I wonder if it's possible to just check the SSO state with a 
>> confidential client. My use case is the following one:
>>
>> - I have a website which uses a confidential client to login with 
>> Keycloak.
>>
>> - I want to add autologin to this website.
>>
>> - So I use the javascript adapter with the following option object 
>> for the init method: { onLoad: 'check-sso' }. The javascript adapter 
>> is built without the secret key in its constructor (obviously if I 
>> put the secret key in there, there's no point to use a confidential 
>> client at all).
>>
>> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, 
>> error=invalid_client_credentials" error.
>>
>> So I don't know how feasible or secure is to just check that the 
>> Keycloak session inside the cookie of the user's browser is still 
>> valid. In my case, the browser doesn't need to get the user info, 
>> access token, etc, because what I'll do is redirect the user to the 
>> Keycloak login page with the confidential client afterwards is the 
>> operation is successful. Since the Keycloak session is valid, 
>> Keycloak should redirect back with the authentication code without 
>> asking credentials to the user.
>>
>> Additional note: the CORS header isn't added to 400 responses in 
>> Keycloak, so it was a bit confusing looking at the JS console in the 
>> browser, because it complained about CORS but it was just Keycloak 
>> giving the 400 response without the allow-origin header.
>>
>> Thanks.
>>
>> -- 
>>
>> *Tomás García Pérez
>> *
>>
>> *Software Developer*
>>
>> *Intra**House***
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------------------------------------------------
> /Esta mensagem pode conter informação confidencial e/ou privilegiada. 
> Se você não for o destinatário ou a pessoa autorizada a receber esta 
> mensagem, não poderá usar, copiar ou divulgar as informações nela 
> contidas ou tomar qualquer ação baseada nessas informações. Se você 
> recebeu esta mensagem por engano, por favor avise imediatamente o 
> remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua 
> cooperação.
>
> This message may contain confidential and/or privileged information. 
> If you are not the addressee or authorized to receive this for the 
> addressee, you must not use, copy, disclose or take any action based 
> on this message or any information herein. If you have received this 
> message in error, please advise the sender immediately by reply e-mail 
> and delete this message. Thank you for your cooperation/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/6c8a0fb6/attachment-0001.html 


More information about the keycloak-user mailing list