I am in the process of upgrading an SPI that was built against version 10 to version 25. There is a class that extends the RealmResourceProvider class that calls createLoginCookie. It is basically the same as the AuthenticationManger.createLoginCookie method, but the getRealmCookiePath was changed to /foo/bar/ + realm.getId() + /. I know the realm.getId() would need to be changed to realm.getName(). But, what I am not sure about is how to set the path in version 25. Keycloak 25 now uses CookieType of either SESSION or IDENTIFY, which I don’t see an easy way to set a custom path for. Can some one please suggest the correct way to set the path?
For the cookies I just copied the code from AuthenticationManger.createLoginCookie to my createLoginCookie method and instead of calling keycloakSession.getProvider(CookieProvider.class).set(CookieType… I just create my own keycloak identity and keycloak session cookies with the correct path and add them to the keycloaksession. I can see the cookies with the correct paths, so I think that will work.
My new problem is a redirect that ends with a site can’t be reached error. First there is a GET to https://foo.com/bar/keys/SamlTest_basic/sso and that returns with a 301 just like it did in the older version. Next there is a GET to https://foo.com/bar/keys/SamlTest_basic/protocol/saml/clients/sso, but instead of returning a 200 I get a 302 with it going to https://mykeycloak.com/realms/SamlTest_basic/login-actions/required-action?execution=VERIFY_PROFILE&client_id=sso&tab_id=asdfsdfasdf&client_data=asdfasdfsadf. That URL is the one that gets site can’t be reached.
Normally if that returned a 200 it would then do a GET to the actual SSO like https://auth.pingone.com which would return a 302 and take me to the site.
I can reach mykeycloak.com:8443, but not mykeycloak.com. But, that is the same as our old version. So, I am trying to figure out if something with the keycloak upgrade has changed this or maybe something in our networking or server setup with the new keycloak. And figure out why the new version is getting a 302 with it going to https://mykeycloak.com/realms/SamlTest_basic/login-actions/required-action
Does anyone know what would cause it to redirect to the login-actions/required-action page? What cookies are needed for it to be logged in, if that is even the problem?
I figured it out. I had to disable Verify Profile even though it was set to default action off. Is that a bug?
Anyway I have SSO’s working through keycloak. I do still have an issue getting a token, but that is another issue. So, close to getting Keycloak 25 working.