[keycloak-user] Question about the javascript-adapter and the check-sso option with a confidential client
Marek Posolda
mposolda at redhat.com
Tue Jun 28 02:00:56 EDT 2016
Not sure why prompt=none doesn't work as expected...
Are you manually opening this URL? Maybe it will help if you url-encode
the value of redirect_uri parameter (in your example it's not encoded).
Marek
On 27/06/16 15:38, LEONARDO NUNES wrote:
> Marek, I tried to manually call keycloak login url with prompt=none
> but it didn't redirect back to my redirect_uri, instead it stayed at
> the login page.
> Below is an example of the login url i'm calling.
>
> http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&*prompt=none*
>
> I need an URL to call to know if the user is logged in or not without
> being redirected to the login page.
> I need this because KeycloakSecurityContext is not available at not
> restricted URLs.
>
>
> --
> Leonardo Nunes
>
>
> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
> Date: segunda-feira, 27 de junho de 2016 09:07
> To: Tomás García <tomas at intrahouse.com <mailto:tomas at intrahouse.com>>,
> "keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>"
> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Question about the javascript-adapter and
> the check-sso option with a confidential client
>
> I think your possibilities are either:
> - Use different client for keycloak.js (public client) and different
> client for your confidential servlet application
> - Don't use keycloak.js at all, but instead do some HTTP Filter to
> deal with "autologin" . You will manually try to redirect to keycloak
> with "prompt=none" . If user is not logged, keycloak will redirect
> back to the callback redirect_uri, where you recognize if there is
> "code" or "error" parameter and based on that, you know if user is
> logged or not. If user is logged, you can redirect to secured URL to
> properly trigger authentication process (maybe you can optimize this
> step by reuse the "code", which you already have and directly open the
> secured URI with it, but I am not 100% sure if it works with
> considering that you also need correct "state" etc.) Otherwise, you
> can set some state or something, to recognize that autologin has been
> already unsuccessfully tried.
>
> Maybe you can create JIRA to request support "autologin" for other
> types of clients then public keycloak.js clients.
>
> Marek
>
> On 25/06/16 11:44, Tomás García wrote:
>>
>> Hi,
>>
>> I wonder if it's possible to just check the SSO state with a
>> confidential client. My use case is the following one:
>>
>> - I have a website which uses a confidential client to login with
>> Keycloak.
>>
>> - I want to add autologin to this website.
>>
>> - So I use the javascript adapter with the following option object
>> for the init method: { onLoad: 'check-sso' }. The javascript adapter
>> is built without the secret key in its constructor (obviously if I
>> put the secret key in there, there's no point to use a confidential
>> client at all).
>>
>> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR,
>> error=invalid_client_credentials" error.
>>
>> So I don't know how feasible or secure is to just check that the
>> Keycloak session inside the cookie of the user's browser is still
>> valid. In my case, the browser doesn't need to get the user info,
>> access token, etc, because what I'll do is redirect the user to the
>> Keycloak login page with the confidential client afterwards is the
>> operation is successful. Since the Keycloak session is valid,
>> Keycloak should redirect back with the authentication code without
>> asking credentials to the user.
>>
>> Additional note: the CORS header isn't added to 400 responses in
>> Keycloak, so it was a bit confusing looking at the JS console in the
>> browser, because it complained about CORS but it was just Keycloak
>> giving the 400 response without the allow-origin header.
>>
>> Thanks.
>>
>> --
>>
>> *Tomás García Pérez
>> *
>>
>> *Software Developer*
>>
>> *Intra**House***
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------------------------------------------------
> /Esta mensagem pode conter informação confidencial e/ou privilegiada.
> Se você não for o destinatário ou a pessoa autorizada a receber esta
> mensagem, não poderá usar, copiar ou divulgar as informações nela
> contidas ou tomar qualquer ação baseada nessas informações. Se você
> recebeu esta mensagem por engano, por favor avise imediatamente o
> remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua
> cooperação.
>
> This message may contain confidential and/or privileged information.
> If you are not the addressee or authorized to receive this for the
> addressee, you must not use, copy, disclose or take any action based
> on this message or any information herein. If you have received this
> message in error, please advise the sender immediately by reply e-mail
> and delete this message. Thank you for your cooperation/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160628/6c8a0fb6/attachment-0001.html
More information about the keycloak-user
mailing list