Return-Path: X-Original-To: apmail-deltaspike-users-archive@www.apache.org Delivered-To: apmail-deltaspike-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E67F618D1F for ; Mon, 25 Jan 2016 13:09:11 +0000 (UTC) Received: (qmail 21907 invoked by uid 500); 25 Jan 2016 13:09:06 -0000 Delivered-To: apmail-deltaspike-users-archive@deltaspike.apache.org Received: (qmail 21862 invoked by uid 500); 25 Jan 2016 13:09:06 -0000 Mailing-List: contact users-help@deltaspike.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@deltaspike.apache.org Delivered-To: mailing list users@deltaspike.apache.org Received: (qmail 21850 invoked by uid 99); 25 Jan 2016 13:09:06 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Jan 2016 13:09:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id B1168C0D8D for ; Mon, 25 Jan 2016 13:09:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id eiVN3qkAprzt for ; Mon, 25 Jan 2016 13:08:52 +0000 (UTC) Received: from mail-wm0-f42.google.com (mail-wm0-f42.google.com [74.125.82.42]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 5995F20F18 for ; Mon, 25 Jan 2016 13:08:50 +0000 (UTC) Received: by mail-wm0-f42.google.com with SMTP id 123so64860542wmz.0 for ; Mon, 25 Jan 2016 05:08:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=FAfqxvpLIeB2TY3uPSvVIfpvXcu+4+icBlydQRIpbEU=; b=p6v7HYmxFseDnb8mj2yKWOyInqQcBKzGzU9u0pQj04GGijECwpgmIjsKvGl92pVoG8 ZDfLkKa1zn18eYxW7Z+J4/EyM9USbxbXbSqJEYhbR2h5Q5qEb8R6C7mWlH+f/srtyOaD t3NwU4iw/5gBHSNsCEfWTQoQ6RQshdqgU22Cc/7evD5nAuZeotINeJ0anW903juiAce4 kRFBKpNfM7UvevSkVJ4XcTInuDCAa3zstN7EY1HXslENnrlrszrUlLTxfl/STDOH4gD3 7eUOk5tD90N54/yXKVnyIXZULFSpdYm2j7kn2pPcMoQgGokwndZaO4GE4Rf5oIHZcffj JRaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=FAfqxvpLIeB2TY3uPSvVIfpvXcu+4+icBlydQRIpbEU=; b=c2kuhMkt2Ikf8XIuAw/aCOsjKjEjQOe+/MfdntMG/K9gGYTjOiuZH+k5RZ0J8Gm2Yt x3ntVZTPIwxXFK+TrZma0R3ajpwq8hcNlaCyBTzxJXp2OWm6mq0S/W/9KVmHB00iw05e 9HuZVQKYZ3zGz8o8U9xvQQ8QUF3tMopn7Xtm3i2KUL5dltohVuOmOgBYVAvPouKMUaie uHfQm9JlxWxdM63ab56R/aMixbY3oQschI7ubmGNTprOFvCct1VQlj9TALjkAJdJ6Wwd wvdRGs3cWtJtiG7BVPMNrtiXlhQ5PnwMmHRfQV+y3bjOAMZoL7a4UUEMSW+ZPCcym5wR 5WKA== X-Gm-Message-State: AG10YOSwqJexh5HxXevC0GiLpQHGRlAjsd7vZxIISm441+mpbqgRR2RAR+q44qLf5PWCOA== X-Received: by 10.194.184.210 with SMTP id ew18mr17206387wjc.79.1453727328909; Mon, 25 Jan 2016 05:08:48 -0800 (PST) Received: from [10.0.0.8] (91-114-136-244.adsl.highway.telekom.at. [91.114.136.244]) by smtp.googlemail.com with ESMTPSA id qs1sm19109824wjc.2.2016.01.25.05.08.48 for (version=TLSv1/SSLv3 cipher=OTHER); Mon, 25 Jan 2016 05:08:48 -0800 (PST) Subject: Re: [keycloak-dev] Problem with Keycloak 1.8.0.CR1 and Deltaspike To: users@deltaspike.apache.org References: <56A0B6F2.6060209@gmail.com> From: Christian Beikov Message-ID: <56A61E5D.9000404@gmail.com> Date: Mon, 25 Jan 2016 14:08:45 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Hello, I am using the Lazy mode, but it turned out to be a problem with the load balancing configuration. Apparently the Keycloak server adapters require sticky sessions to work properly, so there is nothing wrong with deltaspike. Thanks anyway for the quick answers! Regards, Christian Am 24.01.2016 um 01:20 schrieb Thomas Andraschko: > Hi, > > what mode are you using? Lazy or ClientWindow? > > In case of Lazy, we just remove the dswid on the clientside/js if the > window.name doesn't match the dswid parameter. > > > 2016-01-21 12:19 GMT+01:00 Gerhard Petracek : > >> hi christian, >> >> the initial redirect is needed to add the window-id to the url. >> otherwise a browser-refresh on the first page would lead to a new >> window-id. >> >> regards, >> gerhard >> >> >> >> 2016-01-21 11:46 GMT+01:00 Christian Beikov : >> >>> Hello, >>> >>> I am cross posting this to make you aware of the problem too. >>> >>> Currently I am looking at JsfModuleConfig to see if configuring >>> isInitialRedirectEnabled to false changes anything. Can you maybe tell me >>> what the implications of configuring it like that are? Unfortunately I >>> couldn't find any documentation on why you are doing the redirect on the >>> initial request to append the window id. >>> >>> >>> -------- Weitergeleitete Nachricht -------- >>> Betreff: Re: [keycloak-dev] Problem with Keycloak 1.8.0.CR1 and >>> Deltaspike >>> Datum: Wed, 20 Jan 2016 19:58:29 +0100 >>> Von: Stian Thorgersen >>> Antwort an: stian@redhat.com >>> An: Christian Beikov >>> Kopie (CC): keycloak-dev >>> >>> >>> >>> The reason it's failing after upgrading from 1.1 is the check of the >>> redirect uri was added later. This is not a recent regression so we're >> not >>> going to fix it for 1.8. We can look into it for 1.9 though if you >> create a >>> JIRA. >>> >>> My suspicion is that we may not be able to fix it. The problem could be >>> that DeltaSpike is invoked prior to Keycloak adapter, which results in >> the >>> following behavior: >>> >>> 1. DeltaSpike adds "dswid" >>> 2. Keycloak adapter redirects to login page with redirect uri that >>> includes dswid >>> 3. Keycloak server authenticates users and redirects back to the >>> application (including dswid) >>> 4. DeltaSpike removes "dswid" >>> 5. Keycloak adapter tries to obtain token using redirect_uri param >> without >>> dswid, which is rejected >>> >>> Step 5 is a step that we can't remove as it's required by the OpenID >>> Connect specification. It's there to prevent potential attacks. >>> >>> On 20 January 2016 at 18:17, Christian Beikov < >> christian.beikov@gmail.com >>> > wrote: >>> >>> Hello, >>> >>> we have a problem since Keycloak 1.8.0.CR1 that we didn't have in >>> 1.1.0.Final. >>> The problem appears when accessing a secured JSF page that uses >>> DeltaSpike. DeltaSpike redirects the initial request to append a query >>> param to the path called "dswid". When accesing a secured page, the >>> Keycloak adapter also does some redirects and adds the redirect uri, >>> this time the one already including the dswid, into the client >> session, >>> but redirects the browser to a URL that includes a redirect uri that >>> does not contain the dswid. The authentication process fails here: >>> >>> >> https://github.com/keycloak/keycloak/blob/1.8.0.CR1/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L231 >>> Since it worked earlier, I guess this is a bug. The actual problem is >>> the mismatch between the redirect uri stored in the session and the >>> redirect uri returned to the browser. Hope you can fix this for >>> 1.8.0.Final >>> >>> Regards, >>> Christian >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev@lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> >>> >>> >>>