[keycloak-user] Question about the javascript-adapter and the check-sso option with a confidential client

Marek Posolda mposolda at redhat.com
Wed Jun 29 03:01:09 EDT 2016 

On 28/06/16 15:35, LEONARDO NUNES wrote:
> Marek, after I encoded the redirect_uri parameter it worked.
>
> When I try to access a restricted page and I'm not logged in I saw 
> that an AuthChallenge with a redirect uri is returned.
> Is there a way to configure prompt=none to be added to this redirect uri?
I don't think it's possible ATM.

What we can possibly do is add "prompt" parameter to the list of 
parameters, which adapters are able to attach to the 
authorizationEndpoint sent to Keycloak (this is done in 
OAuthRequestAuthenticator.getRedirectUri ). Then request to Keycloak 
with "prompt=none" will be sent and if you are not logged, Keycloak will 
redirect back with status 400 and some "error" parameter. You will be 
able to configure the error page in your web.xml where you will be able 
to deal with the error and do what you want (for example, redirect to 
your anonymous page).

Could you please create JIRA for adding "prompt" to the parameters?

Marek
>
> I'm my case I wouldn't like to be automatically redirected to the 
> login page when i'm not logged in.
> Instead I would like to be redirected back to my page when the user is 
> not logged in.
>
>
> -- 
> Leonardo Nunes
>
>
> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
> Date: terça-feira, 28 de junho de 2016 03:00
> To: Leonardo Nunes <leo.nunes at gjccorp.com.br 
> <mailto:leo.nunes at gjccorp.com.br>>, Tomás García <tomas at intrahouse.com 
> <mailto:tomas at intrahouse.com>>, "keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>" <keycloak-user at lists.jboss.org 
> <mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Question about the javascript-adapter and 
> the check-sso option with a confidential client
>
> Not sure why prompt=none doesn't work as expected...
>
> Are you manually opening this URL? Maybe it will help if you 
> url-encode the value of redirect_uri parameter (in your example it's 
> not encoded).
>
> Marek
>
> On 27/06/16 15:38, LEONARDO NUNES wrote:
>> Marek, I tried to manually call keycloak login url with prompt=none 
>> but it didn't redirect back to my redirect_uri, instead it stayed at 
>> the login page.
>> Below is an example of the login url i'm calling.
>>
>> http://keycloak-domain.com.br/auth/realms/accounts/protocol/openid-connect/auth?redirect_uri=http://my-application.com.br/app-web/&response_mode=fragment&response_type=code&client_id=app-web&*prompt=none*
>>
>> I need an URL to call to know if the user is logged in or not without 
>> being redirected to the login page.
>> I need this because KeycloakSecurityContext is not available at not 
>> restricted URLs.
>>
>>
>> -- 
>> Leonardo Nunes
>>
>>
>> From: Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>>
>> Date: segunda-feira, 27 de junho de 2016 09:07
>> To: Tomás García <tomas at intrahouse.com>, 
>> "keycloak-user at lists.jboss.org 
>> <mailto:keycloak-user at lists.jboss.org>" 
>> <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>>
>> Subject: Re: [keycloak-user] Question about the javascript-adapter 
>> and the check-sso option with a confidential client
>>
>> I think your possibilities are either:
>> - Use different client for keycloak.js (public client) and different 
>> client for your confidential servlet application
>> - Don't use keycloak.js at all, but instead do some HTTP Filter to 
>> deal with "autologin" . You will manually try to redirect to keycloak 
>> with "prompt=none" . If user is not logged, keycloak will redirect 
>> back to the callback redirect_uri, where you recognize if there is 
>> "code" or "error" parameter and based on that, you know if user is 
>> logged or not. If user is logged, you can redirect to secured URL to 
>> properly trigger authentication process (maybe you can optimize this 
>> step by reuse the "code", which you already have and directly open 
>> the secured URI with it, but I am not 100% sure if it works with 
>> considering that you also need correct "state" etc.) Otherwise, you 
>> can set some state or something, to recognize that autologin has been 
>> already unsuccessfully tried.
>>
>> Maybe you can create JIRA to request support "autologin" for other 
>> types of clients then public keycloak.js clients.
>>
>> Marek
>>
>> On 25/06/16 11:44, Tomás García wrote:
>>>
>>> Hi,
>>>
>>>  I wonder if it's possible to just check the SSO state with a 
>>> confidential client. My use case is the following one:
>>>
>>> - I have a website which uses a confidential client to login with 
>>> Keycloak.
>>>
>>> - I want to add autologin to this website.
>>>
>>> - So I use the javascript adapter with the following option object 
>>> for the init method: { onLoad: 'check-sso' }. The javascript adapter 
>>> is built without the secret key in its constructor (obviously if I 
>>> put the secret key in there, there's no point to use a confidential 
>>> client at all).
>>>
>>> But Keycloak fails with a "type=CODE_TO_TOKEN_ERROR, 
>>> error=invalid_client_credentials" error.
>>>
>>> So I don't know how feasible or secure is to just check that the 
>>> Keycloak session inside the cookie of the user's browser is still 
>>> valid. In my case, the browser doesn't need to get the user info, 
>>> access token, etc, because what I'll do is redirect the user to the 
>>> Keycloak login page with the confidential client afterwards is the 
>>> operation is successful. Since the Keycloak session is valid, 
>>> Keycloak should redirect back with the authentication code without 
>>> asking credentials to the user.
>>>
>>> Additional note: the CORS header isn't added to 400 responses in 
>>> Keycloak, so it was a bit confusing looking at the JS console in the 
>>> browser, because it complained about CORS but it was just Keycloak 
>>> giving the 400 response without the allow-origin header.
>>>
>>> Thanks.
>>>
>>> -- 
>>>
>>> *Tomás García Pérez
>>> *
>>>
>>> *Software Developer*
>>>
>>> *Intra**House***
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> ------------------------------------------------------------------------
>> /Esta mensagem pode conter informação confidencial e/ou privilegiada. 
>> Se você não for o destinatário ou a pessoa autorizada a receber esta 
>> mensagem, não poderá usar, copiar ou divulgar as informações nela 
>> contidas ou tomar qualquer ação baseada nessas informações. Se você 
>> recebeu esta mensagem por engano, por favor avise imediatamente o 
>> remetente, respondendo o e-mail e em seguida apague-o. Agradecemos 
>> sua cooperação.
>>
>> This message may contain confidential and/or privileged information. 
>> If you are not the addressee or authorized to receive this for the 
>> addressee, you must not use, copy, disclose or take any action based 
>> on this message or any information herein. If you have received this 
>> message in error, please advise the sender immediately by reply 
>> e-mail and delete this message. Thank you for your cooperation/
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/b3a5f457/attachment-0001.html

More information about the keycloak-user mailing list