[keycloak-user] Hide Keycloak codes exchange from the URL

Corentin Dupont corentin.dupont at gmail.com
Fri Oct 11 05:31:48 EDT 2019 

Any idea? :)

On Tue, Oct 8, 2019 at 4:01 PM Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> is it possible to hide the complex URL Keycloak redirects to when login?
> For example Keycloak redirects to:
>
>
> https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/auth?client_id=alb&redirect_uri=https%3A%2F%2Fwww.website.org.uk%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=7103645f-0d0e-4015-ff62-206ff3eb44bf
>
> Which looks complicated (it was criticized by the users).
> I use Keycloak-JS wrapper.
> I came across the option 'silentCheckSsoRedirectUri':
> https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/javascript-adapter.adoc
> But I'm not sure it's working.
>
> Thanks,
> Corentin
> PS. I copy below a similar message posted on the mailing list for
> reference.
> [keycloak-user] OIDC login URLs, how to hide them from the user?? *Max
> Allan* max.allan+keycloak at surevine.com
> <keycloak-user%40lists.jboss.org?Subject=Re:%20%5Bkeycloak-user%5D%20OIDC%20login%20URLs%2C%20how%20to%20hide%20them%20from%20the%20user%3F%3F&In-Reply-To=%3CCADNp1BbVc6A-HsiTszRV_TJY%2BQHH4q%2BQyFeSfqhPWc-dVD1jLw%40mail.gmail.com%3E>
> *Tue Jan 22 10:36:05 EST 2019*
>
>    - Previous message: [keycloak-user] Gatekeeper docker configuration
>    question
>    <https://lists.jboss.org/pipermail/keycloak-user/2019-January/017009.html>
>    - Next message: [keycloak-user] Error controller is not invoked if
>    authentication failed
>    <https://lists.jboss.org/pipermail/keycloak-user/2019-January/017011.html>
>    - *Messages sorted by:* [ date ]
>    <https://lists.jboss.org/pipermail/keycloak-user/2019-January/date.html#17010> [
>    thread ]
>    <https://lists.jboss.org/pipermail/keycloak-user/2019-January/thread.html#17010> [
>    subject ]
>    <https://lists.jboss.org/pipermail/keycloak-user/2019-January/subject.html#17010> [
>    author ]
>    <https://lists.jboss.org/pipermail/keycloak-user/2019-January/author.html#17010>
>
> ------------------------------
>
> Hi,
>
> When a user hits a (Keycloak gatekeeper) protected site, they get
> redirected to the keycloak server login page, a URL like this :
> https://auth.website.org.uk/auth/realms/saturn/protocol/openid-connect/auth?client_id=alb&redirect_uri=https%3A%2F%2Fwww.website.org.uk%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=7103645f-0d0e-4015-ff62-206ff3eb44bf
>
> So, a typical new user journey looks like "type in https colon slash *which
> slash was it? oh that one* and another slash ww dot website dot com *oops
> no, www and dot org dot uk ENTER"
> *I don't want to type _that_ in again : Click Bookmark button QUICK*
>
> So they've now bookmarked a login page that includes a state of 7103....
>
> The session they have works and if they don't use their bookmark, it works.
>
> If they come back to it later, and use the bookmark, get asked to login and
> then get a "403 authorisation denied" error.
> The gatekeeper logs say :
> 1.5481603986412873e+09 error State parameter mismatch
> 1.5481603986665585e+09 error unable to exchange code for access token {"error":
> "invalid_grant: Incorrect redirect_uri"}
>
> So, how can I make this user journey easier with keycloak?
> Ideally I'd like to hide the auth urls completely, their browser doesn't
> need to know they're authenticating on different site.
> I tried a "sign-in-page" with a frame containing the login page from
> keycloak :
> <html>
> <frameset cols="100%">
> <frame src="{{ .redirect }}">
> </frameset>
> </html>
> (and change the security settings for frame-ancestors )
>
> And when you've logged in, you get an empty page with a 403 error.
> Gatekeeper says "unable to exchange code for access token {"error":
> "invalid_grant: Incorrect redirect_uri"}" again.
> Keycloak says :
> type=CODE_TO_TOKEN_ERROR, realmId=86979f4f-7314-4fb6-86bc-3516fcb0c3ae,
> clientId=alb, userId=01cf3b8f-498e-46b8-815e-6a9a5c2dda1c,
> ipAddress=180.430.597.666, error=invalid_code,
> grant_type=authorization_code,
> code_id=02221f30-faa5-48ad-aae6-a5adec6a705a,
> client_auth_method=client-secret
> (ip address etc. has been obfuscated)
>
> IF the user is clever, they can then remove
> the oauth/authorize?state=ba4fcb0d-6ecf-4afe-8b98-e0fbcbc4ca25 from the URL
> in the browser and the session carries on quite happily.
>
> Is there a setting I'm getting wrong in keycloak somewhere that is breaking
> this?
> In this first instance, we are returning to an old "state". I can imagine
> that not working.
>
> But the second setup, I'm just logging in to keycloak, in a frame, nothing
> else has changed from a "working" setup, just the login page is in a frame.
> (I also need to figure out how to escape the frame!!)
>
> Thanks,
> Max
>
>

More information about the keycloak-user mailing list