Return-Path: X-Original-To: apmail-deltaspike-users-archive@www.apache.org Delivered-To: apmail-deltaspike-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2472E1885E for ; Sun, 24 Jan 2016 00:20:38 +0000 (UTC) Received: (qmail 93009 invoked by uid 500); 24 Jan 2016 00:20:38 -0000 Delivered-To: apmail-deltaspike-users-archive@deltaspike.apache.org Received: (qmail 92957 invoked by uid 500); 24 Jan 2016 00:20:37 -0000 Mailing-List: contact users-help@deltaspike.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@deltaspike.apache.org Delivered-To: mailing list users@deltaspike.apache.org Received: (qmail 92945 invoked by uid 99); 24 Jan 2016 00:20:37 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 24 Jan 2016 00:20:37 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id F0EB4C0A81 for ; Sun, 24 Jan 2016 00:20:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.9 X-Spam-Level: *** X-Spam-Status: No, score=3.9 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_REPLY=1, HTML_MESSAGE=3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id DFVPGKYThi3Y for ; Sun, 24 Jan 2016 00:20:27 +0000 (UTC) Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id DD3BC428ED for ; Sun, 24 Jan 2016 00:20:26 +0000 (UTC) Received: by mail-ob0-f169.google.com with SMTP id is5so90833282obc.0 for ; Sat, 23 Jan 2016 16:20:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=NNEJWopPGy5H4qL7MH8nEFj7YITP+3wnq7Iql7GVFbo=; b=0y7zhKdAqhQiyFsoZbq7BV+Bh+SfAjfmP1jW0XhV8Q65hgBhNwm5R/5MT4vfZT1vKk Glfo8tDwv0PdcPG4FljPpzuf/ygoGUQTQT8rnXaz2cjWwy9hbxD47Zt69DZ3zEPYvklm 6BxTY9i7SW95jphixz06aimt495ZigaRGpC9ifPYwM8hlbD7W4m/99tAgGuRkX3u+jnl 9f7vXLmwQatGZAbXgE/mOpMjRvjSMxbA66MoIqCvPwJXcIerAJi5C4gwa8o8EsRD6Qzk 9J4gs85Jhh69LtuaE3Dxmb51rHUxrU9n5HrOgfPRPjzd9KBYJJ9hB+m01j2uZ8D9W39b WyiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=NNEJWopPGy5H4qL7MH8nEFj7YITP+3wnq7Iql7GVFbo=; b=cFF3eQptjX2lwNwJSKpledeSdHpGggP3GCQvkEinN6ARxONSwCu8YB+sJtmRUI5mWo Pu+IqWyuj1h9q9dbBqMWJIOeaIA5Sa2zSe/3794DmfH1YtH2i+fvXm3zwQ5gFJ/x0tet p3PiS5Limpto8NjUo9fAo/cV3odCd+Jd5W6vtIWgcFSNVnm/5+I+duWI7ex48UapzTIL 7GtyxG39SwJh1r99W6IsEJ2Gs4aNmxeJmRsuRwWbKq6XxhIG/XmxUH8ViuAlVgvSxsiY S8xYUSa8WHzZl5ymOWAjCKaFxq7JKAE58pUiCzBwRD0IbOsHOG/AtooK0sex/FioR3jm XVmQ== X-Gm-Message-State: AG10YORBW0Mt3snWmJ9G3uDIXO8WqF+Ol/Pyu4pK+hKGm6FKW3GLxd8xuogg+Uf9TRVhBIds6PskufCtPokhGA== MIME-Version: 1.0 X-Received: by 10.60.227.104 with SMTP id rz8mr8282200oec.45.1453594826413; Sat, 23 Jan 2016 16:20:26 -0800 (PST) Received: by 10.202.86.17 with HTTP; Sat, 23 Jan 2016 16:20:26 -0800 (PST) In-Reply-To: References: <56A0B6F2.6060209@gmail.com> Date: Sun, 24 Jan 2016 01:20:26 +0100 Message-ID: Subject: Re: Re: [keycloak-dev] Problem with Keycloak 1.8.0.CR1 and Deltaspike From: Thomas Andraschko To: users@deltaspike.apache.org Content-Type: multipart/alternative; boundary=001a11368604469ed9052a096b4b --001a11368604469ed9052a096b4b Content-Type: text/plain; charset=UTF-8 Hi, what mode are you using? Lazy or ClientWindow? In case of Lazy, we just remove the dswid on the clientside/js if the window.name doesn't match the dswid parameter. 2016-01-21 12:19 GMT+01:00 Gerhard Petracek : > hi christian, > > the initial redirect is needed to add the window-id to the url. > otherwise a browser-refresh on the first page would lead to a new > window-id. > > regards, > gerhard > > > > 2016-01-21 11:46 GMT+01:00 Christian Beikov : > > > Hello, > > > > I am cross posting this to make you aware of the problem too. > > > > Currently I am looking at JsfModuleConfig to see if configuring > > isInitialRedirectEnabled to false changes anything. Can you maybe tell me > > what the implications of configuring it like that are? Unfortunately I > > couldn't find any documentation on why you are doing the redirect on the > > initial request to append the window id. > > > > > > -------- Weitergeleitete Nachricht -------- > > Betreff: Re: [keycloak-dev] Problem with Keycloak 1.8.0.CR1 and > > Deltaspike > > Datum: Wed, 20 Jan 2016 19:58:29 +0100 > > Von: Stian Thorgersen > > Antwort an: stian@redhat.com > > An: Christian Beikov > > Kopie (CC): keycloak-dev > > > > > > > > The reason it's failing after upgrading from 1.1 is the check of the > > redirect uri was added later. This is not a recent regression so we're > not > > going to fix it for 1.8. We can look into it for 1.9 though if you > create a > > JIRA. > > > > My suspicion is that we may not be able to fix it. The problem could be > > that DeltaSpike is invoked prior to Keycloak adapter, which results in > the > > following behavior: > > > > 1. DeltaSpike adds "dswid" > > 2. Keycloak adapter redirects to login page with redirect uri that > > includes dswid > > 3. Keycloak server authenticates users and redirects back to the > > application (including dswid) > > 4. DeltaSpike removes "dswid" > > 5. Keycloak adapter tries to obtain token using redirect_uri param > without > > dswid, which is rejected > > > > Step 5 is a step that we can't remove as it's required by the OpenID > > Connect specification. It's there to prevent potential attacks. > > > > On 20 January 2016 at 18:17, Christian Beikov < > christian.beikov@gmail.com > > > wrote: > > > > Hello, > > > > we have a problem since Keycloak 1.8.0.CR1 that we didn't have in > > 1.1.0.Final. > > The problem appears when accessing a secured JSF page that uses > > DeltaSpike. DeltaSpike redirects the initial request to append a query > > param to the path called "dswid". When accesing a secured page, the > > Keycloak adapter also does some redirects and adds the redirect uri, > > this time the one already including the dswid, into the client > session, > > but redirects the browser to a URL that includes a redirect uri that > > does not contain the dswid. The authentication process fails here: > > > > > https://github.com/keycloak/keycloak/blob/1.8.0.CR1/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L231 > > > > Since it worked earlier, I guess this is a bug. The actual problem is > > the mismatch between the redirect uri stored in the session and the > > redirect uri returned to the browser. Hope you can fix this for > > 1.8.0.Final > > > > Regards, > > Christian > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev@lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > > > > > --001a11368604469ed9052a096b4b--