01-14-2020 02:40 AM
Hi,
I'm attempting to explore running the ADF Example Content App with implicitFlow=false configured into the ADF app.config.json.
I've seen this mentioned in slide 48 of a slide pack by Eugenio Romano:
https://www.slideshare.net/EugenioRomano/lets-play-with-adf-30
The following slide (#49) suggests that under this login configuration, even though KeyCloak is used for authenication, the user will stay in the ADF app and not be redirected to the KeyCloak login page, and that a successful login will take the user directly into the default page (e.g. personal folders).
I'm running ECM community v6.2, ADF example app 1.9, and KeyCloak 8.0.1.
I'm finding that when I attempt to logon on, the following happens:
1. The message "You've entered an unknown username or password" is presented on the login component UI.
2. The message "login OAUTH error" is presented in the javascript console.
3. Under debug I can see attributes on the error object include:
- crossDomain: true
- url (this is a non-https local url on my system)
- message: 'Request has been terminated? Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc.'
4. A NullPointerException exception appears on the KeyCloak server console (the last line in the stack trace is 'at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.checkSsl(TokenEndpoint.java:220)
5. On the KeyCloak Realm settings I have Require SSl set to 'none', and under the KeyCloak Client I have Standard Flow enabled, and Implicit Flow disabled (as I'm not using this). I've got identity-service.ssl-required set to 'none' in alfresco-global.properties
6. In terms of config for alfresco-global.properties and app.config.json, settings are all otherwise as per the alfresco documentation for setting up KeyCloak (in particular the article titled "Getting Started with Alfresco Identity Service EA (Keycloak)"), and this config works in terms of successfull login via redirect to the KeyCloak page when implcitFlow is enabled.
7. Under debug (of the ADF app) I've picked up all the relevant values for url, content type & form attributes, and have used these in direct curl calls to login to KeyCloak successfully.
8. The ADF app and content services are hosted on the same server
9. I've enabled CORS on the content services server
Given point 8, and given that the server is known to be available on the url being used, it seems unexpected that the origin may not be allowed?
It seems also from the exception on the KeyCloak server that SSL might be relevant somehow?
I'm wondering given all of the above if anyone knows of anything obvious that I could try looking at in terms of SLL or cross origin problems? Or perhaps I'm using a release of KeyCloak that isn't recommended?
Any ideas would be greatly appreciated thanks!
01-21-2020 03:59 AM
For anyone interested in this issue, I've progressed by building a version of Keycloak for test purposes that avoids making the call internally to checkSsl(). The result is that the authenticaton now works without any other problems (at least that I've experienced).
I thought that I had disabled SSL everywhere, so it's still a mystery why Keycloak was doing that.
I'm guessing that when I do progress to implementing with SSL enabled, I should be able to switch back to the unmodified version of Keycloak ok.
Explore our Alfresco products with the links below. Use labels to filter content by product module.