[keycloak-user] Suppression of basic challenge on login of Web App?

Chris Smith chris.smith at cmfirstgroup.com
Mon Jan 14 12:19:05 EST 2019 

I have a web app secured by KC.  It authenticates against out Active Directory and that appears to be working.

I'm developing using Tomcat as my web app server.

When on a Windows client of a machine that is a member of my Active Directory, and Windows Internet options are set, Both Chrome and Internet Explorer do not put up the Browser challenge or forward to the KC login page.

I have a requirement that a browser on a client that is not in my Active Directory log in with the users Active Directory user id and password.

After a successful login, everything is great.

My issue is that when running from a browser on a client that is not a member of the Active Directory domain, First the browser presents a Basic Challenge.  Then regardless of what is entered or if the challenge is dismissed, the browser forwards as expected to the KC login page.

How can the Basic Challenge Be suppressed?

My web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://xmlns.jcp.org/xml/ns/javaee"
	xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
	id="WebApp_ID" version="3.1">
	<display-name>SSO-Example</display-name>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.jsp</welcome-file>
	</welcome-file-list>
	<login-config>
		<auth-method>KEYCLOAK</auth-method>
		<realm-name> MYREALM </realm-name>
	</login-config>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>SSO-Example</web-resource-name>
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>user</role-name>
		</auth-constraint>
	</security-constraint>
	<security-role>
		<role-name>user</role-name>
	</security-role>
</web-app>

My keycloak.json

{
  "realm": "MYREALM",
  "auth-server-url": "https://my.keycloak:8443/auth",
  "ssl-required": "external",
  "resource": "MYCLIENT",
  "verify-token-audience": true,
  "credentials": {
    "secret": "my secret"
  },
   "disable-trust-manager": true,
   "allow-any-hostname" : true,
  "use-resource-role-mappings": true,
  "confidential-port": 0
}

More information about the keycloak-user mailing list