[keycloak-user] Cross client authentication

Luis Rodríguez Fernández uo67113 at gmail.com
Fri Jan 11 05:06:50 EST 2019


Hello Tom,

Once you visit the SAML app the an user session is created in the app and a
JSESSIONID cookie is store in your browser, that's why it works.

You have different ways of workaround this:

1. You can embed the gui component that makes the request to the SAML app
into an <iframe>. Iframe element can deal the SAML requests and responses.

2. In the past I did develop a "horrible hack" based on a
javax.servlet.Filter and a html page. The idea would be that at the first
request of the OIDC app the filter would generate on the fly a html page
with a link to the SAML app. This triggered the SAML authentication,
creating the user session in the app and storing the JSESSIONID cookie in
the user browser.

3. I recently solved the same issue using
org.keycloak.adapters.saml.servlet.SamlFilter. The idea would be to create
a your custom cookie and using it to make the cross-context requests. You
can have a look at the code in this gist [1]

Keep in mind that all of the above are workarounds. The cleanest way would
be not to use SAML for protecting the resources/API of your second
application. Probably OAUTH2/OIDC would work better, but I imagine that you
are dealing with some legacy code and you do not have too many options :)

Hope it helps,

Luis

[1] https://gist.github.com/lurodrig/83319a623692f573c4d2f91e16176fca




















El vie., 11 ene. 2019 a las 9:47, Tom Barber (<tom at spicule.co.uk>) escribió:

> Hi folks
>
> Trying to solve a question for one of my web developers.
>
> We have 2 apps one which authenticates against Keycloak using SAML and then
> a GUI that uses OIDC. When a user logs into the GUI it then performs a rest
> call to the SAML based client app.
>
> This causes a 401 currently, but as soon as I visit the SAML app and
> Keycloak logs in then the rest calls work. What aren’t we passing or config
> am I missing?
>
> Thanks
>
> Tom
>
> --
>
>
> Spicule Limited is registered in England & Wales. Company Number:
> 09954122. Registered office: First Floor, Telecom House, 125-135 Preston
> Road, Brighton, England, BN1 6AF. VAT No. 251478891.
>
>
>
>
> All engagements
> are subject to Spicule Terms and Conditions of Business. This email and
> its
> contents are intended solely for the individual to whom it is addressed
> and
> may contain information that is confidential, privileged or otherwise
> protected from disclosure, distributing or copying. Any views or opinions
> presented in this email are solely those of the author and do not
> necessarily represent those of Spicule Limited. The company accepts no
> liability for any damage caused by any virus transmitted by this email. If
> you have received this message in error, please notify us immediately by
> reply email before deleting it from your system. Service of legal notice
> cannot be effected on Spicule Limited by email.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett


More information about the keycloak-user mailing list