1

I'm using Keycloak's JavaScript Adapter to connect a web application with the SSO of my workplace. The code looks like this (server data is loaded via they keycloak.json file):

const keycloak = Keycloak();
keycloak.init({onLoad: "login-required"}).success(authenticated => {
    ...
}).error(() => {
    ...
});

It works as intended on Firefox and Chrome, but on Internet Explorer (v. 11) the POST request for the token returns a 400 Bad Request. Is this a problem with my configuration of Internet Explorer or of Keycloak-js itself? Here is a screenshot from IE.

Specult76
  • 21
  • 1
  • 3
  • Welcome to Stackoverflow. Do you get any message with the 400 code response? Also do you get any server side log (if you can see it)? – Aritz Aug 31 '18 at 06:55
  • Hi, although the content length is set to 446, there is no message delivered with the 400. I also do not have access to the Keycloak server directly, unfortunately. – Specult76 Aug 31 '18 at 07:01
  • Which params are being POSTed to the `/token` endpoint? 400 indicates a bad request, so you might be lacking any parameter there. Check out that the same parameters are being sent in IE and the other browsers. – Aritz Aug 31 '18 at 07:21
  • AUTH_SESSION_ID, KEYCLOAK_IDENTITY and KEYCLOAK_SESSION. I just tested executing `document.execCommand("ClearAuthenticationCache");` prior the init'ing Keycloak and, believe it or not, it appears to work. What is weird is that IE now sends _less_ parameters, because it is only KEYCLOAK_SESSION. Unfortunately, this method forces me to login upon every page refresh. – Specult76 Aug 31 '18 at 07:24
  • Edit: What I mentioned above were Cookies, not parameters. When the auth cache is cleared, less Cookies are sent and then it apparently works? The parameters in questions are "code", "grant_type" and "redirect_uri", present in both the working and non-working requests. – Specult76 Aug 31 '18 at 07:35
  • I wouldn't try cleaning `ClearAuthenticationCache`. Instead, I would focus in that 400 and try to discover what's actually causing it. Maybe you'll need to contact the KC server admin in order to get some hint (if the cause is not getting displayed in the response message). Have you tried clearing the IE caches? Setting it in incognito mode? From other PC? – Aritz Aug 31 '18 at 07:36
  • I cleared IE's full browser data for each test, same result every time. Incognito mode has no effect, neither do different machines. I've talked to the server admins and they handed me the following log snippet: `2018-08-31 09:45:15,212 WARN [org.keycloak.events] (default task-13) type=CODE_TO_TOKEN_ERROR, realmId=[REDACTED], clientId=null, userId=null, ipAddress=[REDACTED], error=invalid_client_credentials, grant_type=authorization_code`. – Specult76 Aug 31 '18 at 08:10
  • I found the solution! The server admins created a new client that was set to public. This way the Keycloak Adapter added the "client_id" parameter to the request, which was accepted by the server. I still wonder why this was only a problem in IE, but I'm glad that there was a non-breaking way of fixing it. Thanks for you help! :) If you want, you can post this as a solution so I can mark the question as answered. – Specult76 Aug 31 '18 at 08:19
  • Better write the solution yourself, as you solved it! Glad to know ;-) – Aritz Aug 31 '18 at 08:20

1 Answers1

1

The solution is fairly simple: The client that Keycloak-js wants to access has to be public so that the client ID can be read and sent to the server. The absence of the property or its data missing from the cookies (Firefox and Chrome apparently solve this themselves) leads to the 400 Bad Request sent from the Keycloak server.

Specult76
  • 21
  • 1
  • 3