we have implemented a vaadin application using latest 14 LTS version of Vaadin and integrated with Keycloak 8. The configuration works and when we first start the application the user is forwarded to keycloak login page and then redirected to vaadin app.
When keycloak token expires, the application doesn't redirect to keycloak as it runs in background a heartbeat ajax request and tries to redirect to keycloak login page. We first getting a CORS error from keycloak which some how can be resolved from Keycloak I assume, but even though this work, the redirect doesn't redirect us to keycloak login, as it is ajax request
When we inspect the page we have this flow:
Heartbeat URL
URL: http://localhost:8090/?v-r=uidl&v-uiId=3
Application Login Page
URL: http://localhost:8090/sso/login
Keycloak Login URL
URL: https://keycloak_url/auth/realms/htp/protocol/openid-connect/auth?response_type=code&client_id=web&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Fsso%2Flogin&state=6ed652f2-dd7e-4398-bc60-798f6d055f69&login=true&scope=openid due to access
and the result is a not a json response in a window in application having the keycloak login form instead of redirecting
Any idea how to solve this issue?
Related
Have Integrated a Java struts based server side application with a keycloak OIDC and Oauth provider.
Java servlet adapter mentioned in the https://access.redhat.com/documentation/en-us/red_hat_single_sign-on_continuous_delivery/3/html-single/securing_applications_and_services_guide/index#servlet_filter_adapter is used for the same implemetation.
The redirect_uri configured on the server is something like https://env.application.com/contextpath/
When the we application session timeouts and the user clicks on any link in the application the redirect_uri that goes as part of authorization code grant flow adds the URI of the link in addition to the redirect_uri configured in keycloak server. This will something like for example https://env.application.com/contextpath**/submenu?name=menu**
This will result in an invalid redirect_uri error from the keycloak server.
The keycloak server doesn't allow to configure a placeholder * to be configured for security reasons.
Could someone please let me know how to handle we application session timeouts with integrated with keycloak OIDC and OAUTH provider.
Is there any other best practise availble to handle session timeouts in webapplications integrated with keyclaok OIDC.
I have a keycloak Server running on my localhost with port 8081.
I'm trying to connect my Quarkus application with it to secure REST-Endpoints.
However I'm not able to Login to my Keycloak server.
I annotated an /test endpoint with #RolesAllowed("user"). Since then I can't access the endpoint but I get an Empty page with a 401 Unauthorized error in the Web console.
What I want is that I get redirected to the Keycloak default page so I can authorize myself. Any ideas why that is not happening?
Here is my application.properties Keycloak configuration:
quarkus.oidc.auth-server-url=http://localhost:8081/realms/TestRealm
quarkus.oidc.client-id=testclient
quarkus.oidc.credentials.secret=MYSECRET
quarkus.oidc.tls.verification=none
quarkus.keycloak.policy-enforcer.enable=false
logging.level.org.keycloak=DEBUG
resteasy.role.based.security=true
quarkus.http.cors=true
quarkus.http.port=8080
when I set policy enforcer to true I can't access any endpoint.
TestRealm has a Resource configured with a /test endpoint.
In the Quarkus documentation for keycloak they said that you don't need to setup your own Keycloak Server in Dev mode since Quarkus comes with one. Might that be the Problem? is my Quarkus Application not connecting to my Keycloak server? And if so, how can I force quarkus in dev mode to use my Keycloak server?
EDIT: I figured out that I have access to my endpoint if I send the request with the Bearer token, so I guess Quarkus is accessing my Keycloak instance.
Still, why don't I get forwarded to the default Keycloak login page when trying to access my Rest endpoint via my browser? Am I missing any configuration?
For anyone with the same issue I fixed it by adding:
quarkus.oidc.auth-mechanism=keycloak
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
To the config
Situation
For my web application, I have set up a keycloak (v18.0.0) realm with an external SAML IDP.
After successfully logging in, the application is using its own cookies (I can't change this since this is an external piece of software) and has a logout endpoint to destroy those cookies when visited through the browser.
In the corresponding client configuration, I set a front-channel logout URI to be called by the browser whenever a logout is triggered from the IDP.
Problem
When triggering the single sign-out from keycloak itself using this "https://baseurl/realms/my-realm/protocol/openid-connect/logout"`, keycloak successfully logs out from the IDP and destroys its own cookies but does not redirect to the front-channel logout URI, which leaves the app in a logged-in state. I tested this without an IDP enabled and it logged me out from my app.
Question
How can I force keycloak to trigger the front-channel logout URI on a single sign-out request?
How to implement logout of client side services after idle timeout?
Services are secured by Keycloak + Application gateway.
The Gateway is node.js app which protects services' urls using Keycloak node.js adapter, so that authentication will be required on browser access to the urls. (redirect to login url)
Services enforce authorization locally by inspecting roles present in the access token gateway receives and attaches to the request after successful authentication.
Keycloak is behind gateway too.
I thought about adding custom event listener in Keycloak code which would notify all the services interested in session timeout event via some message bus.
Thanks in advance.
Keycloak informs all clients participating in a session that gets terminated (by timeout or explicit logout request). The only prerequisite is that the "Admin URL" is set for the client (see Keycloak admin console - client settings).
Since you're using the Keycloak node.js adapter it should be able to handle the logout request from Keycloak.
See Keycloak Server Administration Guide (look for "Admin URL").
I am working with java ee application where we authenticate via keycloak and during redirect we see AUTH_SESSION_ID in the cookie but after the log out its not there which might be creating problems (multiple redirect issue). SO we want to retrieve that and expire the cookie in the log out page.
update:
keycloak version is 3.4.3
we are using it to secure a java ee application running on wildfly 10
we use keycloak-wildfly adapter.
The multiple-redirect happens after the user is taken to application page after authentication.