[keycloak-user] JavaScript client, iframe and IE

Sun Mar 19 05:09:09 EDT 2017

Hello,

sorry for digging this old thread out but I just stumbled over this again.
I found some Keycloak deployments in the wild which explicitly set the
P3P Header to:
P3P:CP="CAO PSA OUR"

This seems to work fine with IE and is a valid P3P header.

See also:
http://stackoverflow.com/questions/5257983/what-does-headerp3p-cp-cao-psa-our-do

I wonder whether this would make a better default setting for the
p3pPolicy setting in
themes/src/main/resources/theme/base/login/messages/messages_*.properties
than the current value of:
p3pPolicy=CP="This is not a P3P policy!"

Cheers,
Thomas

2016-04-15 15:24 GMT+02:00 Stian Thorgersen <sthorger at redhat.com>:

> No, but feel free to add one to the new testsuite :)
>
> On 15 April 2016 at 14:46, Thomas Raehalme <thomas.raehalme at aitiofinland.
> com> wrote:
>
>>
>> On Thu, Apr 14, 2016 at 5:11 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> I think we need to make it configurable. Could use messages from login
>>> theme as a simple solution?
>>>
>>> sessionIframeP3P=CP="This is not a P3P policy!"
>>>
>>
>> Using theme properties was a good idea.
>>
>> Is there an existing test I could extend to verify the presence of the
>> header?
>>
>>
>>
>>
>>
>>> On 14 April 2016 at 16:06, Thomas Raehalme <
>>> thomas.raehalme at aitiofinland.com> wrote:
>>>
>>>> Well I didn't mean exactly the same message with a link and everything,
>>>> but just something like "This is not a policy definition."
>>>>
>>>> Best regards,
>>>> Thomas
>>>> On Apr 14, 2016 17:03, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>>>>
>>>>> I don't think the Google way is good for us as we'd need to have a
>>>>> similar page. Further, it wouldn't be correct to have a Keycloak page that
>>>>> describes the policy for other companies. So we need to figure out what the
>>>>> correct value should be I think.
>>>>>
>>>>> On 14 April 2016 at 16:00, Thomas Raehalme <
>>>>> thomas.raehalme at aitiofinland.com> wrote:
>>>>>
>>>>>> W3C has the spec but since nobody is really using this I don't think
>>>>>> the value matters. But instead of making up some policy definition I think
>>>>>> that the Google way would be the best. What do you think?
>>>>>>
>>>>>> Best regards,
>>>>>> Thomas
>>>>>> On Apr 14, 2016 16:54, "Stian Thorgersen" <sthorger at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I've got no clue what the value should be, tried to search on
>>>>>>> Google, but doesn't make much sense to me.
>>>>>>>
>>>>>>> On 14 April 2016 at 15:30, Jukka Sirviö <Jukka.Sirvio at mipro.fi>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> there is discussion on this issue, also on stack overflow
>>>>>>>> http://stackoverflow.com/questions/32120129/keycloak-
>>>>>>>> is-causing-ie-to-have-an-infinite-loop
>>>>>>>>
>>>>>>>> “Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR
>>>>>>>> UNR LEG"”
>>>>>>>>
>>>>>>>>
>>>>>>>> Lähettäjä: keycloak-user-bounces at lists.jboss.org [mailto:
>>>>>>>> keycloak-user-bounces at lists.jboss.org] Puolesta Thomas Raehalme
>>>>>>>> Lähetetty: 14. huhtikuuta 2016 16:22
>>>>>>>> Vastaanottaja: Stian Thorgersen
>>>>>>>> Kopio: keycloak-user
>>>>>>>> Aihe: Re: [keycloak-user] JavaScript client, iframe and IE
>>>>>>>>
>>>>>>>> I created KEYCLOAK-2828 for this issue and will do a PR as well.
>>>>>>>>
>>>>>>>> What do you think the value should be? As I wrote earlier it does
>>>>>>>> not seem to make a difference to IE.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Thomas
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thu, Apr 14, 2016 at 4:16 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>> Can you create a JIRA for it please? If you fancy doing a PR you
>>>>>>>> can add the header to LoginStatusIframeEndpoint.
>>>>>>>>
>>>>>>>> On 14 April 2016 at 15:09, Thomas Raehalme <
>>>>>>>> thomas.raehalme at aitiofinland.com> wrote:
>>>>>>>> On Thu, Apr 14, 2016 at 4:01 PM, Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>> What do you mean about "if the URL is something like"?
>>>>>>>>
>>>>>>>> The only iframe Keycloak uses is in the JavaScript adapter and it's
>>>>>>>> only the session iframe. That would be the only place it would be relevant
>>>>>>>> for Keycloak to set P3P header, but don't think it's need AFAIK it works
>>>>>>>> just fine on IE.
>>>>>>>>
>>>>>>>> Sorry for being a little too vague.
>>>>>>>>
>>>>>>>> Among other UIs our application has a web front-end based on
>>>>>>>> AngularJS and it's utilizing the JavaScript adapter for authentication.
>>>>>>>> When I login to the application I can inspect the HTML and see an <iframe
>>>>>>>> /> element with the following URL:
>>>>>>>>
>>>>>>>> https://keycloak-server/auth/realms/xxxx/protocol/openid-
>>>>>>>> connect/login-status-iframe.html?client_id=xxxx&origin=xxxx
>>>>>>>>
>>>>>>>> Without the P3P header there is an eternal loop between our web
>>>>>>>> front-end and Keycloak where the browser is being redirected from one to
>>>>>>>> the other. After adding the P3P header the problem was solved.
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Thomas
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>>
>>>>>>>> Tämä sähköpostiviesti (liitteineen) saattaa sisältää
>>>>>>>> luottamuksellista tietoa, joka on tarkoitettu
>>>>>>>> vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita
>>>>>>>> viestin lähettäjälle tapahtuneesta
>>>>>>>> virheestä ja tuhoa viesti välittömästi. Viestin luvaton
>>>>>>>> julkaiseminen, kopioiminen, jakelu tai muu
>>>>>>>> käyttö tai toimenpiteisiin ryhtyminen sen perusteella on
>>>>>>>> ehdottomasti kielletty.
>>>>>>>>
>>>>>>>> This message (including any attachments) may contain confidential
>>>>>>>> information intended for
>>>>>>>> the person or entity to which it is addressed. If you are not the
>>>>>>>> intended recipient, notify the
>>>>>>>> sender and delete this message immediately. Notice that disclosing,
>>>>>>>> copying, distributing or any
>>>>>>>> other use of the message and its information, or taking any action
>>>>>>>> based on it, is strictly prohibited.
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>