Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Keycloak is causing IE to have an infinite loop

we are using a keycloak 1.3.1 authentication library, and I've noticed that once I initialize the keycloak with { onLoad: 'login-required' }, IE (11) gets infinite loop...

Other browsers work fine.

I'm basically doing this:

keycloak.init({ onLoad: 'login-required' }).success(function(authenticated) {
    console.info(authenticated ? 'authenticated' : 'not authenticated');

    some other stuff...

}).error(function() {
    console.warn('failed to initialize');
});

Any idea what's causing it, and to solve this? Trying to install the newest version 1.4.0 now in hopes the weird bug gets solved.

Thanks in advance.

like image 463
Nemanja Milosavljevic Avatar asked Aug 20 '15 13:08

Nemanja Milosavljevic


2 Answers

I had the same problem with keycloak v1.5.0.Final / Internet Explorer 11, and finally figured out what is going on.

1. Behind the scene

When using modes 'login-required' or 'check-sso' in Keycloak's init method, Keycloak Javascript Adapter sets an iframe that checks at timed intervals that user is authenticated.

This iframe is retrieved from keycloak's server (let's say http(s)://yourkeycloakhost:port):

http(s)://yourkeycloakhost:port/auth/realms/yourrealm/protocol/openid-connect/login-status-iframe.html?client_id=yourclientid&origin=http(s)://yourorigin

and its content is a javascript script which should be able to access KEYCLOAK_SESSION cookie previously set by keycloak on authentication (on the same domain ie http(s)://yourkeycloakhost:port).

2. The problem with IE

Yes! Here is the problem with Internet Explorer, which has a strict policy with iframes and cookies. Actually, the keycloak iframe does NOT have access to the yourkeycloakhost domain cookies due to its P3P policy (Microsoft Internet Explorer is the only major browser to support P3P).

This problem is well described on this stackoverflow question

3. Resolution

The solution is to make Internet Explorer trust our keycloak's domain (yourkeycloakhost) for using cookies, so that the iframe is able to read the KEYCLOAK_SESSION cookie value, and register it in its data.

To do that, your keycloak server must append HTTP response header with P3P information. You can do that with an apache or nginx proxy that will always set proper headers. I did that with apache and it's mod_headers module:

Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR LEG"

You can learn more on P3P with W3C and/or validate your P3P Policy with this P3P validator.

4. Consequence

You can have a look at keycloak's iframe code :

var cookie = getCookie('KEYCLOAK_SESSION');
if (cookie) {
    data.loggedIn = true;
    data.session = cookie;
}

Now the cookie on domain yourkeycloakhost is retrieved correctly by Internet Explorer, and the problem is fixed!

like image 54
François Maturel Avatar answered Sep 23 '22 20:09

François Maturel


A workaround that worked for me, learnt from keycloak documentation, add the parameter checkLoginIframe when executing init method : .init({onLoad: 'login-required', checkLoginIframe: false})

like image 32
yodamad Avatar answered Sep 23 '22 20:09

yodamad