[keycloak-user] Fwd: Error when session expired and ajax request execute in Keycloak?

Adam Daduev daduev.ad at gmail.com
Thu Apr 13 12:43:39 EDT 2017


Hi Seb,

For all i do not say, but i would wanted. About specs, i do not know. I use
Keycloak in my application, and i can not to report user when session is
expired. I do not know whether i said, but when occur redirect request, not
ajax request, i catched error with jsf exception handler (there is in my
example CommonExceptionHandler), and to report users, i want that same
occurred with my ajax request. It is occur not only in Richfaces, but in
Primefaces, i think it it happens with all jsf ajax request.
And one more, i observed that keycloak session expire early than i setup in
the keycloak admin console, and in keycloak log i have warning, error
refresh token. Maybe these problems are bind, i do not know.
I have one little question, can i disable refresh token, use Implicit Flow,
when i disabled Authorization Code Flow, nothing works?

Thank you.

ср, 12 апр. 2017 г. в 15:47, Sebastien Blanc <sblanc at redhat.com>:

> Hi Adam,
>
> I started today to look at your ticket. First of all, thank you for the
> provided example, it makes it really easier to reproduce.
>
> So Stian is right, it's expecting a token which isn't present and
> therefore returning a 401.
> Stian suggested that we should maybe support ajax request secured with the
> session (to support Richfaces ajax requests).
>
> I would like to have the opinion of everyone here, is that something we
> want ? Doesn't we break any specs here (I have no idea just asking) ?
>
> Anyway I will start looking how this change could be implemented.
>
> Seb
>
>
> On Fri, Jan 13, 2017 at 9:53 AM, Adam Daduev <daduev.ad at gmail.com> wrote:
>
>> I created JIRA bug, and add simple example.
>> https://issues.jboss.org/browse/KEYCLOAK-4214
>>
>>
>> пт, 13 янв. 2017 г. в 9:34, Stian Thorgersen <sthorger at redhat.com>:
>>
>> > Might be that it's expecting a token in the ajax request rather than
>> > checking for a session, not 100% sure though. RichFaces won't work
>> unless
>> > we can support securing the requests from the session.
>> >
>> > Can you create a JIRA bug for this please? If you can attach a simple
>> > example we can build and deploy to reproduce the issue that would be
>> > extremely helpful and we would be able to look at it sooner.
>> >
>> > On 12 January 2017 at 07:16, Adam Daduev <daduev.ad at gmail.com> wrote:
>> >
>> > After login, i get in my app, and for all my ajax request from page to
>> > backing bean, i receive response 401 even if the session is still alive.
>> > If removed autodetect-bearer-only option, all work fine, but going back
>> to
>> > the old error.
>> >
>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>> > realms/azovstal/protocol/openid-connect/auth?…ml&state=
>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>> > 'Access-Control-Allow-Origin' header is present on the requested
>> resource.
>> > Origin 'http://localhost:8080' is therefore not allowed access.
>> >
>> > ---------- Forwarded message ---------
>> > From: Adam Daduev <daduev.ad at gmail.com>
>> > Date: вт, 10 янв. 2017 г. в 14:08
>> > Subject: Re: [keycloak-user] Error when session expired and ajax request
>> > execute in Keycloak?
>> > To: <stian at redhat.com>
>> >
>> >
>> > I tried, but does not work.
>> > Firstly, i add autodetect-bearer-only option via adapter subsystem,
>> wildfly
>> > not started, he not know autodetect-bearer-only option, then, i added
>> via
>> > json, wildfly started and app was deployed.
>> > Secondly, on my ajax request to backing bean, i receive response 401 and
>> > does not happend.
>> > This is my keycloak.json
>> > {
>> > "realm": "azovstal",
>> > "auth-server-url": "http://dc09-apps-06:8090/auth",
>> > "ssl-required": "none",
>> > "resource": "web-test",
>> > "public-client": true,
>> > "use-resource-role-mappings": true,
>> > "autodetect-bearer-only": true
>> > }
>> >
>> > вт, 10 янв. 2017 г. в 10:19, <daduev.ad at gmail.com>:
>> >
>> > Ok, I try, thanks.
>> >
>> > 10 янв. 2017 г., в 07:07, Stian Thorgersen <sthorger at redhat.com>
>> > написал(а):
>> >
>> > In that case take a look at the new autodetect-bearer-only option.
>> You'll
>> > need 2.5.0.Final for that.
>> >
>> > On 9 January 2017 at 19:18, <daduev.ad at gmail.com> wrote:
>> >
>> > No, I have jsf 2 app with richfaces framework, which deploy on wildfly
>> > 10.1.
>> >
>> > 9 янв. 2017 г., в 14:51, Stian Thorgersen <sthorger at redhat.com>
>> > написал(а):
>> >
>> > [Adding list back]
>> >
>> > A web app redirects the user to a login page if not authenticated,
>> while a
>> > service should return a 401.
>> >
>> > It sounds like what you have is a JS application with a service
>> backend. In
>> > Keycloak you should have two separate types of clients for that. The JS
>> > application should be a public client, while the services a bearer-only
>> > client.
>> >
>> > On 9 January 2017 at 13:39, Adam Daduev <daduev.ad at gmail.com> wrote:
>> >
>> > Thanks for the answer.
>> > Yes i have confidential client, i have web application, that asks
>> > Keycloak server
>> > to authenticate a user for them. As I understand, bearer-only is for web
>> > services clients.
>> > I probably something do not understand?
>> >
>> > 2017-01-09 11:44 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:
>> >
>> > Looks like your services are configured as confidential clients rather
>> than
>> > bearer-only and hence is sending a login request back rather than a 401.
>> > You should either swap your service war to be a bearer-only client or
>> use
>> > the new autodetect-bearer-only option in adapters if you have both web
>> > pages and services in the same war.
>> >
>> > On 8 January 2017 at 23:29, Adam Daduev <daduev.ad at gmail.com> wrote:
>> >
>> > Hi, can you help me!
>> > When session expired and ajax request execute in Keycloak, i have error
>> in
>> > browser console:
>> >
>> > XMLHttpRequest cannot load http://dc09-apps-06:8090/auth/
>> > realms/azovstal/protocol/openid-connect/auth?…ml&state=
>> > 60%2F01fc2e79-6fc0-46b8-9f83-39b7421fedf9&login=true&scope=openid. No
>> > 'Access-Control-Allow-Origin' header is present on the requested
>> resource.
>> > Origin 'http://localhost:8080' is therefore not allowed access.
>> >
>> > I add in Keycloak admin console, in the client setting, Web Origins=
>> > http://localhost:8080 (or *), and enabled cors in app, but still has
>> error
>> > in console. I used Keycloak 2.5.0
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list