[keycloak-user] oidc wildfly apdater and wildfly single-sign-on

Amat, Juan (Nokia - US) juan.amat at nokia.com
Wed Mar 8 10:28:23 EST 2017 

I will start by saying that this is my first post to this list so
forgive me if this topic has already been addressed.
I will also thank all the people who work on Keycloak (regulars and
contributors).

Now back to my topic.
In our next release we are planning to use Keycloak (version 2.5.1)  in the context
of a new Angular2 based client and stateless REST services. At the time
we also want to use Keycloak with our legacy applications.
Our legacy applications (a bunch of webapps and rest services) run on Wildfly 10.
The 'Getting Started' Chapter of the Keycloak documentation looks to
good as simply adding some configuration in the standalone.xml and with no code
changes it works.
I did try that and it worked fine with our legacy applications except
for the logout.
I opened (twice) this ticket: https://issues.jboss.org/browse/KEYCLOAK-4397
The problem is that we used to configure the undertow sub-system with
<single-sign-on> which allow us to log in to one webapp and navigate to another
without the need to reauthenticate.
I removed this <single-sign-on> and now we had other problems.
Our webapp sometimes do XMLHttpRequest requests to another webapp/rest service.
And Keycloak will then return 302 which does not work too well.
I did see this ticket https://issues.jboss.org/browse/KEYCLOAK-2962 but it
will not help us much I think (It is my understanding that with this fix and
using autodetect we will get 401 back and this is not what we want).

We did configure Keycloak with the 'session' token store so we thought that
maybe using the 'cookie' token store will be better. But it did not
help because the path of the cookie is the webapp context. IOW it is not
propagated when we call another webapp.
There is this opened ticket https://issues.jboss.org/browse/KEYCLOAK-4342
about the same issue.

In the end I am wondering if Keycloak should support this configuration, that
is having undertow <single-sign-on> enabled. Or, and it would be also OK
for us, if we could configure the Keycloak cookie path.

Did any of you had the same issue? And if so how did you resolve it?
Or is what I am doing not possible without some code changes?

TIA.

More information about the keycloak-user mailing list