Hello,
I am using the Lazy mode, but it turned out to be a problem with the
load balancing configuration.
Apparently the Keycloak server adapters require sticky sessions to work
properly, so there is nothing wrong with deltaspike.
Thanks anyway for the quick answers!
Regards,
Christian
Am 24.01.2016 um 01:20 schrieb Thomas Andraschko:
Hi,
what mode are you using? Lazy or ClientWindow?
In case of Lazy, we just remove the dswid on the clientside/js if the
window.name doesn't match the dswid parameter.
2016-01-21 12:19 GMT+01:00 Gerhard Petracek <[email protected]>:
hi christian,
the initial redirect is needed to add the window-id to the url.
otherwise a browser-refresh on the first page would lead to a new
window-id.
regards,
gerhard
2016-01-21 11:46 GMT+01:00 Christian Beikov <[email protected]>:
Hello,
I am cross posting this to make you aware of the problem too.
Currently I am looking at JsfModuleConfig to see if configuring
isInitialRedirectEnabled to false changes anything. Can you maybe tell me
what the implications of configuring it like that are? Unfortunately I
couldn't find any documentation on why you are doing the redirect on the
initial request to append the window id.
-------- Weitergeleitete Nachricht --------
Betreff: Re: [keycloak-dev] Problem with Keycloak 1.8.0.CR1 and
Deltaspike
Datum: Wed, 20 Jan 2016 19:58:29 +0100
Von: Stian Thorgersen <[email protected]>
Antwort an: [email protected]
An: Christian Beikov <[email protected]>
Kopie (CC): keycloak-dev <[email protected]>
The reason it's failing after upgrading from 1.1 is the check of the
redirect uri was added later. This is not a recent regression so we're
not
going to fix it for 1.8. We can look into it for 1.9 though if you
create a
JIRA.
My suspicion is that we may not be able to fix it. The problem could be
that DeltaSpike is invoked prior to Keycloak adapter, which results in
the
following behavior:
1. DeltaSpike adds "dswid"
2. Keycloak adapter redirects to login page with redirect uri that
includes dswid
3. Keycloak server authenticates users and redirects back to the
application (including dswid)
4. DeltaSpike removes "dswid"
5. Keycloak adapter tries to obtain token using redirect_uri param
without
dswid, which is rejected
Step 5 is a step that we can't remove as it's required by the OpenID
Connect specification. It's there to prevent potential attacks.
On 20 January 2016 at 18:17, Christian Beikov <
[email protected]
<mailto:[email protected]>> wrote:
Hello,
we have a problem since Keycloak 1.8.0.CR1 that we didn't have in
1.1.0.Final.
The problem appears when accessing a secured JSF page that uses
DeltaSpike. DeltaSpike redirects the initial request to append a query
param to the path called "dswid". When accesing a secured page, the
Keycloak adapter also does some redirects and adds the redirect uri,
this time the one already including the dswid, into the client
session,
but redirects the browser to a URL that includes a redirect uri that
does not contain the dswid. The authentication process fails here:
https://github.com/keycloak/keycloak/blob/1.8.0.CR1/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L231
Since it worked earlier, I guess this is a bug. The actual problem is
the mismatch between the redirect uri stored in the session and the
redirect uri returned to the browser. Hope you can fix this for
1.8.0.Final
Regards,
Christian
_______________________________________________
keycloak-dev mailing list
[email protected] <mailto:[email protected]>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
