[keycloak-user] How to disable request restore in OIDCFilterSessionStore (how to make eclipse RAP work with keycloak)?

Clemens Eisserer linuxhippy at gmail.com
Sat Feb 2 03:07:45 EST 2019 

Hi,

I am trying make a server-side framework (eclipse RAP) integrate
nicely with keycloak.
The issue I am facing is, the client-side part of the framework is
using XMLHttpRequests and therefore can not cope with the HTTP-302
redirects sent by the keycloak servlet in case the HttpSession times
out.
Instead it expects some hand-craftet JSON to perform the redirect
itself - I've implemented it using a HttpServletResponse facade so I
can later manually re-do the redirect genereated by Keycloak (please
see code at end of mail) and this seems to work fine.

However, after the redirect, Keycloak seems to restore the old request
in OIDCFilterSessionStore which initially caused the redirect.
The server-side framework-code receives the outdated POST and goes
nuts (instead of the expected GET to re-start the whole session), only
if I remove __REDIRECT_URI manually (leads to needRequestRestore =
false) everything works as expected.

Is there any way to disable this request-restoring process with public
API, instead of messing with the HttpSession in an undocumented way?

Thank you in advance, Clemens

PS: risking beeing a support-vampire, what is the idea behind this
request-restoring process?

The browser network log looks like:
1. POST (application URL, session timed out) -> response: {"head":
{"redirect": "https://..../protocol/openid-connect/auth?response_type=code&client_id=someid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%someapplication%2F?cid%3Dd28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&login=true&scope=openid"}}
2. Browser loads keycloak login page itself using GET:
https://....../protocol/openid-connect/auth?response_type=code&client_id=someid&redirect_uri=http://localhost:8080/someapplication/?cid=d28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&login=true&scope=openid
3. keycloak login page immediatly redirects (302) to the application
again: http://localhost:8080/someapplication/?cid=d28559d9&state=7dcab171-d3bc-423d-94ea-14ccc9369ca3&code=6V8e2h-yNHLpDbwqkQaegLAi3Ih2YqHA47DR_Sbeq50.3c6a0415-c45c-4bf1-bba8-c03280784b8f
4. the keycloak filter in the application redirects again to the
application URL, cuts off the parameters:
http://localhost:8080/someapplication/?cid=d28559d9
However for this request keycloak restores some previous request, so
the initial GET request sent by the browser becomes POST, confuses the
JS application framework.


Code:

// Use a fascade here which ignores sendError() issued by the keycloak filter,
// this way we are able to reload the login-page instead
HttpServletResponseFascade responseFascade = new
HttpServletResponseFascade(response);

// request.getSession(true).removeAttribute("__REDIRECT_URI"); //does
not work without

super.doFilter(req, responseFascade, chain);

if(responseFascade.getStatus() == 302) {
    String location = responseFascade.getLocation();

    if(request.getMethod().equalsIgnoreCase("POST")) {
        response.setStatus(200);
        PrintWriter pw = response.getWriter();
        pw.println("{\"head\": {\"redirect\": \"" + location + "\"}}");
        pw.flush();
    } else {
        response.setHeader("Location", location);
        response.setStatus(responseFascade.getStatus());
    }

More information about the keycloak-user mailing list