[keycloak-user] 401 http status instead of 203 in case of unauthorized access to specific route

Sebastien Blanc sblanc at redhat.com
Fri May 3 05:31:56 EDT 2019


Yes

On Fri, May 3, 2019 at 11:29 AM Radovan Kuka <kuka.radovan at gmail.com> wrote:

> SPA communicates with BE only through XHR requests. So if I understand it
> correctly, I should change code to tokens with keycloak server by myself
> and I can use keycloak-connect only for validating that token? Am I right?
>
> On 3 May 2019, at 11:10, Sebastien Blanc <sblanc at redhat.com> wrote:
>
> Is your SPA served by the Nodeapp ? in this case the oauth flow/redirect
> can just happen. I think it's was this example shows :
> https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example
>
> But if your SPA needs to call through XHR your backend APIs you will need
> an access token on the client side ...
>
>
> On Fri, May 3, 2019 at 10:14 AM Radovan Kuka <kuka.radovan at gmail.com>
> wrote:
>
>> Hi Sebi,
>> thank you for your prompt answer. I would like to avoid to use
>> keycloak.js, if it is possible. I am working on app that is using sensitive
>> bank data and I don't consider it secure to store access and also refresh
>> tokens in javascript's memmory. Is there any chance I can use authorization
>> code grant flow with keycloak-connect?
>>
>> R.
>>
>> On 3 May 2019, at 09:51, Sebastien Blanc <sblanc at redhat.com> wrote:
>>
>> Hi,
>>
>> If you are using your node app just to expose APIs that your SPA will
>> consume, you should flag your node-ap as "bearer-only" (in the keycloak
>> config) , this will return a 401 if you user is not authenticated (and not
>> attempt the redirect 302).
>> This also means that your SPA must obtain the token by using the Keycloak
>> Javascript library.
>>
>> Sebi
>>
>>
>> On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan at gmail.com>
>> wrote:
>>
>>> Hello all,
>>> I am new to keycloak and I tryed to use keycloak-connect to protect
>>> routes on my server. From my SPA, I make a fetch call to the server route
>>> that uses protect middleware. In case of unauthenticated user,
>>> keycloak-connect returns redirect to login page (302 with location header).
>>> Problem is that, original request was fetch and 302 causes that, browser
>>> will call GET request for keycloak login page. This will not cause full
>>> browser redirect to that login page. Wouldn't it be better to send 401
>>> Unauthorized and let browser to handle redirect itself? Or am I doing
>>> something wrong?
>>>
>>> This is related part in my code.
>>>
>>> const keycloakConfig = {
>>>   authServerUrl: application.SERVER_URL,
>>>   clientId: application.CLIENT_ID,
>>>   realm: application.REALM,
>>>   public: true
>>> };
>>>
>>> const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
>>>
>>> app.use(
>>>   keycloak.middleware({
>>>     logout: '/logout'
>>>   })
>>> );
>>>
>>> // Use routes
>>> app.use('/api/v1/', keycloak.protect(), api);
>>>
>>>
>>> Thank you for any help.
>>> Radovan
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>


More information about the keycloak-user mailing list