Hi Christian.

Thanks for the suggestion, i tried create a Keycloak Object and call to init function:

    <script>
        var keycloak = Keycloak({
                            url: 'http://localhost:8080/auth',
                            realm: 'demo',
                            clientId: 'xplanner-frontend'
                        });
        keycloak.init({ onLoad: 'login-required' }).success(function(authenticated) {
            alert(authenticated ? 'authenticated' : 'not authenticated');
        }).error(function() {
            alert('failed to initialize');
        });                       
    </script> 

I navigate to http://localhost:8080/errai-security-demo and the result is the text "Bad Request" and the new url is: http://localhost:8080/errai-security-demo/WelcomePage?prompt=none&code=Zl2xp7Am4RYHFxtuCVS-_xpJKzVaH3xx5Xuac-IhsuY.8a7b6…

I read the documentation of Javascript Adapter and i see "It works in the same way as other application adapters except that your browser is driving the OAuth redirect protocol rather than the server.".

I see de Network console in chrome:

I am tempted to think that there is compatibility problem with javascript adapter and protected resources Errai security or a compatibility problem with Errai navigation.

Hi Christian.

in my desperation I made the following:

1. i try to add a method getToken in AuthenticationService interface and KeycloakAuthenticationService class, the code in the class is:

    public String getToken() {
        return keycloakSecurityContext.getTokenString();
    }

*I saw the need to change other classes With dummies getToken's methods.

2. for test purposes i add EventHandler in Welcome.java (in "Errai Security Demo")

  @EventHandler("obtieneRutina")
  public void onObtieneRutina(ClickEvent e) {
      String idRutina = this.idRutina.getText();
      
      authCaller.call(new RemoteCallback<String>() {


      @Override
      public void callback(final String token) {
       Storage stockStore = null;
       stockStore = Storage.getLocalStorageIfSupported();
       Window.alert(token);
       if (stockStore != null) {
            stockStore.setItem("token", token);
          }
      }
    }, new BusErrorCallback() {


      @Override
      public boolean error(Message message, Throwable throwable) {
        userLabel.setText(ANONYMOUS);
        return true;
      }
    }).getToken();
      
      routinesServiceCaller.call(new RemoteCallback<Rutina>() {


          @Override
          public void callback(Rutina response) {
              Window.alert(response.toString());
              rutina.setNombre(response.getNombre());
          }
      }).routinesIdRoutineGet(idRutina);
    
  }

3. Change the interceptor:

  @Override
  public void aroundInvoke(final RestCallContext context) {
      
      String token = "nani";
      Storage stockStore = null;
      stockStore = Storage.getLocalStorageIfSupported();
      if (stockStore != null) {
          token = stockStore.getItem("token");
      }


      RequestBuilder builder = context.getRequestBuilder();
      builder.setHeader("Authorization", "Bearer " + token);
      context.proceed();


  }

Then the call is successful.

however I am not happy with such a dirty solution, starting with I had to modify their sources and do not know the consequences, besides I could not inject the AuthenticationService in the interceptor, and I had to resort to local storage to store the token.

any suggestions?

Regards.

Victor Soria.

Hi Christian! Happy New Year!

I could write before by celebrations, which by the way have been very good.

Now i finish reading the documentation on github with respect to the pull request (I'm new to github for anything other than make "git clone" ) and send it.

I try setIncludeCredentials option, however it did not work and got this output :

XMLHttpRequest cannot load http://localhost:1111/routines/448ca53f-8145-433b-bcc0-f5f74f630886.

  The request was redirected to 'http://localhost:8080/auth/realms/demo/protocol/openid-connect/login?client…cc0-f5f74f630886&state=0%2F43dcc86e-f774-49ba-aca9-434b1842ab31&login=true',

  which is disallowed for cross-origin requests that require preflight.

for this comment option "setBearerOnly (true)" in my jetty adapter(because "Errai Security Demo" not send the header "Authetication: Bearer " + token ).

I tried to do the equivalent of cors project example: keycloak/examples/cors at master · keycloak/keycloak · GitHub apparently this one contemplates the use of bearertoken to use cors, although I will continue investigating if I find any alternative because it never hurts, maybe it's a matter of using "setIncludeCredentials (true)" option in "ErraiSecurityDemo" and try some other settings in the adapter del backend (Keycloak JettyAdapter in dropwizard), but do not know enough the inner workings of Errai-security-keycloak (and not the internal behavior of keycloak), I not venture to say that could be done. For now the bearertoken aproximation for "CORS example" of keycloak team works well if we get the token.

Regards.

Victor.

Hi Christian,

I have not sent the pull request; i  detect another problem, if I, inject User object, the token is not updated on each call to the interceptor, when the token_ expires, I get an error message; that does not happen if I run the method getToken(Modification of the AuthenticationService) unfortunately include getToken method involves affect other jars such as class implement all AuthenticationService.

Another problem that was thinking is that if I, inject the user object and included the token_ in properties, this is a fairly large String and adds many bytes that not everyone may need; On the other hand, injecting user_properties for each call rest, is much more information than I need.

So for now I'll stay with the modification that adds the method getToken (i annotated @Dependet the interceptor and inject the service); however I do not think send an pull request as the method getToken affect other files that have to do with keycloak and in this case the token is the stuff of keycloak.

On the other hand my need is too specific and may need to stop that units are those that take into consideration whether it is worthwhile to include this in the code and what would be the best alternative to do, so generare one feature request.

sorry for my English, I need urgently a course, reading is easy for me but writing is complicated me too. I hope you have understood the idea

Hello Christian

Sorry for the delay in answering, I've been with a lot of workload and this is a personal project, but hey now return to the load.

I tested again to see if the token is refreshed; and indeed, if it does; not really that way because KeycloakAuthenticationService analyzing the code and can not find the code where the refresh ago.

It seems that you were running an instance of RefreshableKeycloakSecurityContext but do not see where. At the moment I can not analyze it more deeply; I further progress in the visual part of the project. But as you can volvere to immerse myself in those sources.

I like Errai and Errai Security, with respect to each other as could be Angular + JS adapter.

Besides the JS Keycloak Adapter have this disadvantage :

The Keycloak Server comes with a Javascript library you can use to secure pure HTML/Javascript applications. It works in the same way as other application adapters except that your browser is driving the OAuth redirect protocol rather than the server.

The disadvantage of using this approach is that you end up having a non-confidential, public client. This can be mitigated by registering valid redirect URLs. You are still vulnerable if somebody hijacks the IP/DNS name of your pure HTML/Javascript application though.

Regards,

Victor Soria.