[keycloak-user] How to only protect specific paths (SPA)
Mehdi Mehdi
mehdi_cit at hotmail.com
Thu Oct 12 02:04:42 EDT 2017
Thanks for your reply Marek,
My problem is that after the user is logged in on path /#private and then after a while moves back to a public path /#public (meaning not requiring it to be logged in) . If the user is logged out (from the admin panel or simply due to timeout) that user would be required to go back and log in even though she 's on /#public.
Since it's an SPA, Keycloak would always try to make sure the user is logged in and I did not find a way to stop keycloak from requiring that log in if I detect the user does not need login.
It seems that once I invoke Keycloak.init().... I can no longer stop keycloak from enforcing the authentication!
Thanks again, I hope I can find a solution. Been looking into the keycloak.js code to see if I can stop it but there's no clear way on how to do it. I could go and try to "hijack" 'isTokenExpired function' to make sure it always returns false if the user is on public path but I'm not sure it covers all scenarios since I do not know how keycloak works. The whole point for using Keycloak is not to spend time on this front in the first place .. and poking around with the keycloak.js code would be a hack anyway.
Cheers~
________________________________
De : Marek Posolda <mposolda at redhat.com>
Envoyé : mardi 10 octobre 2017 12:13:00
À : Mehdi Mehdi; keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] How to only protect specific paths (SPA)
Can't you "compute" value of the onLoad attribute based on the current
path? I maybe not understand your usecase properly, so maybe not the
best solution, just guessing...
Marek
On 09/10/17 15:54, Mehdi Mehdi wrote:
> Hello everyone and thank you for sharing keycloak with the community.
>
> I'm trying to use keycloak on my SPA (single page application with javascript in both front & back ends).
>
> I only want to password protect specific paths and not all paths. The problem is that once I do require login
>
> keycloak.init( {onLoad: 'login-required'})...
> on some "sensitive path" all the other paths become protected. I suspected that would happen because I did not find a function to suspend "requiring a login".
>
> Indeed, I did test this by going to the keycloak admin page and logged out the user (who was by then on a public/not-protected path). On my SPA the user got kikked out asking her for a password through keycloak even though she was on a 'public path'.
>
> In short, is there a way to instruct keycloak not to require a login.
>
> BTW, I'm only using keycloak on the front end right now.. Need to make it work before also using it on my API (back end).
>
> Thank you in advance for your feedback.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list