[keycloak-user] check-sso not working as expected with iframe

[Michal Hajas]

Sorry, I am not sure I fully understand the question, if my answer is not
what you expected, please describe your issue properly with some steps to
reproduce and describe what behavior you expect or if you think this is a
bug, feel free to file an issue in our Jira.

If your webpage is configured as check-sso, it means you do not require
authentication (the page is visible also for users which are not
authenticated). If an authenticated user is logged out in a separate tab he
is redirected to keycloak only in case login is required. But since the
webpage is configured as check-sso, keycloak knows it doesn't require
authentication and hence doesn't redirect the user to a login page. The
iframe is used anyway because keycloak adapter is aware of the fact that
user is not logged in (he lost the session), however, it just clears the
tokens and set the adapter to authenticated = false state (in case of
check-sso option). If I understand correctly, you want to reauthenticate
user in case he loses his session. You can do that in two ways. Set the
onLoad option to loginRequired or use onAuthLogout callback as I suggested
in the last response. It could look something like that (I haven't tested
it):

keycloak.onAuthLogout = function() { keycloak.login(); }


On Mon, Aug 26, 2019 at 9:07 PM Mohsin Ilyas <Mohsin_981 at hotmail.com> wrote:

> But don’t you think if the sso session is valid then the user would
> continue to use the website so the iframe shouldn’t be connected again if
> the connection was broken? As I’ve seen that the check-sso would use iframe
> in a hidden request but if it is not working as expected than what is the
> use of that.
>
>
> ------------------------------
> *From:* Michal Hajas <mhajas at redhat.com>
> *Sent:* Monday, August 26, 2019 1:21:09 PM
> *To:* keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
> *Cc:* Mohsin Ilyas <mohsin_981 at hotmail.com>
> *Subject:* Re: [keycloak-user] check-sso not working as expected with
> iframe
>
> Hello Moshin,
>
> this is actually the way check-sso should work. From docs:
> check-sso will only authenticate the client if the user is already
> logged-in, if the user is not logged-in the browser will be redirected back
> to the application and remain unauthenticated.
>
> When you logout in the second tab, the tab with check-sso actually detects
> you are logged out, however, it does nothing because it is not supposed to.
> You can check it by catching onAuthLogout event. See
> https://www.keycloak.org/docs/latest/securing_apps/index.html#callback-events
> .
>
> Best regards,
> Michal
>
> On Wed, Aug 21, 2019 at 8:34 PM Mohsin Ilyas <mohsin_981 at hotmail.com>
> wrote:
>
>> Missed the code in original email
>>
>>
>> const keycloak = Keycloak('/keycloak.json');
>> keycloak.init({onLoad: ‘check-sso'})
>>     .success(authenticated => {
>>       if (authenticated) {
>>         //do something
>>       }
>>     })
>>     .error(error => {
>>       console.log(error)
>>     });
>>
>> ________________________________
>> From: Mohsin Ilyas
>> Sent: Wednesday, August 21, 2019 11:29 PM
>> To: keycloak-user at lists.jboss.org <keycloak-user at lists.jboss.org>
>> Subject: check-sso not working as expected with iframe
>>
>>
>> Hi,
>>
>> Below is my simple logic in my application to re-establish connection
>> with keycloak when a page is reloaded. However, the iframe doesn’t seem to
>> work well with ‘check-sso’. Because, I have opened the application in one
>> tab and in other tab I have opened keycloak but when I logout of keycloak
>> my application doesn’t get logout, however, if I use ‘login-required’ the
>> application logs out simultaneously with keycloak. Can someone take a look,
>> or help me with this? (P.s: I have tried to set checkIframLogin: true in
>> the init options but it doesn’t work for me)
>>
>> Thanks.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>