Automatic Login to Javascript Client Adapter with inital Access and Refresh Token

Securing applications
1

We have secured a webapp with the Javascript client adapter (8.0.2). Regular login with redirect to Keycloak’s login page (Authorization Code flow) works fine.

Now we’d also like to be able to login automatically by passing an access and refresh token. I’ve tried passing both to init():

keycloak = new Keycloak();
keycloak.init({
        promiseType: 'native',
	token: token,
	refreshToken: refresh
}).then(function(authenticated) {
	alert(authenticated ? 'authenticated' : 'not authenticated');
}).catch(function() {
    alert('Failed to initialize');
});

but I get “not authenticated”. Of course I made sure the tokens are valid :slight_smile:

When debugging, at some point event.data is “changed” and in line 1233, the token is cleared:

            if (event.data != 'unchanged') {
                kc.clearToken();
            }

I suppose it means that login failed somehow, however without anything like that in the server log.

What could be going wrong here? Is it actually possible at all to login with token + refresh token?
My hope was that the adapter would just validate the access token and use the refresh token to refresh when needed.

1 Like
2

It seems that for this to work, it is necessary to pass the option

checkLoginIframe: false

to Keycloak.init(). Like that, the outcome is “authenticated”.

(With the current 9.0.0 this however only works with promiseType: legacy because of KEYCLOAK-13100)

Yet however, I was expecting a subsequent call to login() to just “return” like after a “real” login, but it redirects to Keycloak’s login page. So this means initializing the adapter with a token authenticates, but does not perform an actual SSO?

3

I’m running into this problem as well. When you use init on the adapter with valid a (refresh)token you do get authenticated as a result.

However the adapter logout doesn’t invalidate the tokens, also you cookies that get set during a normal login procedure also are not set. Because the cookies are not there you are no longer authenticated if you do a page refresh (unless you would use a token but since the token isn’t stored anywhere it should be requested again).

Would there be a way that cookies are set like the normal login procedure if you init the adapter with a token and refreshToken?

4

One solution could be https://stackoverflow.com/a/63154387/709426

Any feedback on if this is a good solution is welcome :slight_smile: (or if there is another way…)

5

So why are you calling login() after you are already authenticated? I think you only need to call login when the opposite is true.

6

I just called login() to test SSO after initializing the client adapter with a valid token, and to see if it maybe sets the cookies when the client adapter was initialized with a valid token.

7

I’ve also ran into same issue. Also; in my case the frontend has the actual username and password so I can potentially submit them to login-actions/authenticate end-point. Any update on this thread or any suggestion how to generate a login-actions/authenticate url.

Thank you for any suggestion…

http://keycloak.discourse.group/t/having-authentication-token-and-login-credentials-how-we-can-automatically-login-user/4825