Keycloak导致IE出现无限循环 [英] Keycloak is causing IE to have an infinite loop
问题描述
我们正在使用 keycloak 1.3.1 身份验证库,并且我注意到,一旦我用{ onLoad: 'login-required' }初始化了密钥斗篷,IE(11)就会陷入无限循环...
we are using a keycloak 1.3.1 authentication library, and I've noticed that once I initialize the keycloak with { onLoad: 'login-required' }, IE (11) gets infinite loop...
其他浏览器可以正常工作.
Other browsers work fine.
我基本上是这样做的:
keycloak.init({ onLoad: 'login-required' }).success(function(authenticated) {
console.info(authenticated ? 'authenticated' : 'not authenticated');
some other stuff...
}).error(function() {
console.warn('failed to initialize');
});
任何主意是什么原因造成的,并解决该问题?现在尝试安装最新版本1.4.0,以希望解决奇怪的错误.
Any idea what's causing it, and to solve this? Trying to install the newest version 1.4.0 now in hopes the weird bug gets solved.
谢谢.
推荐答案
我在keycloak v1.5.0.Final/Internet Explorer 11上遇到了同样的问题,最后弄清楚了发生了什么.
I had the same problem with keycloak v1.5.0.Final / Internet Explorer 11, and finally figured out what is going on.
在Keycloak的init方法中使用需要登录"或"check-sso"模式时,
When using modes 'login-required' or 'check-sso' in Keycloak's init method, Keycloak Javascript Adapter sets an iframe that checks at timed intervals that user is authenticated.
此iframe是从keycloak的服务器中检索的(假设为http(s)://yourkeycloakhost:port):
This iframe is retrieved from keycloak's server (let's say http(s)://yourkeycloakhost:port):
http(s)://yourkeycloakhost:port/auth/realms/yourrealm/protocol/openid-connect/login-status-iframe.html?client_id=yourclientid&origin=http(s)://yourorigin
及其内容是一个Javascript脚本,应该能够访问先前由keycloak进行身份验证时设置的KEYCLOAK_SESSION cookie(在同一域,即http(s)://yourkeycloakhost:port).
and its content is a javascript script which should be able to access KEYCLOAK_SESSION cookie previously set by keycloak on authentication (on the same domain ie http(s)://yourkeycloakhost:port).
是的!这是Internet Explorer的问题,Internet Explorer对iframe和Cookie具有严格的政策.实际上,由于其
Yes! Here is the problem with Internet Explorer, which has a strict policy with iframes and cookies. Actually, the keycloak iframe does NOT have access to the yourkeycloakhost domain cookies due to its P3P policy (Microsoft Internet Explorer is the only major browser to support P3P).
解决方案是使Internet Explorer信任使用cookie的密钥斗篷域(yourkeycloakhost),以便iframe能够读取KEYCLOAK_SESSION cookie值并将其注册到其数据中.
The solution is to make Internet Explorer trust our keycloak's domain (yourkeycloakhost) for using cookies, so that the iframe is able to read the KEYCLOAK_SESSION cookie value, and register it in its data.
为此,您的密钥隐藏服务器必须在HTTP响应标头后附加P3P信息.您可以使用始终设置适当标头的apache或nginx代理来做到这一点.我是用apache做的,它是mod_headers模块:
To do that, your keycloak server must append HTTP response header with P3P information. You can do that with an apache or nginx proxy that will always set proper headers. I did that with apache and it's mod_headers module:
Header always set P3P "CP=ALL DSP COR CUR ADM PSA CONi OUR SAM OTR UNR LEG"
您可以通过 W3C 了解更多有关P3P的信息,并/或通过验证您的P3P政策href ="http://p3pvalidatortool.com" rel ="noreferrer"> P3P验证器.
You can learn more on P3P with W3C and/or validate your P3P Policy with this P3P validator.
您可以查看keycloak的iframe代码:
You can have a look at keycloak's iframe code :
var cookie = getCookie('KEYCLOAK_SESSION');
if (cookie) {
data.loggedIn = true;
data.session = cookie;
}
现在,Internet Explorer可以正确检索域yourkeycloakhost上的cookie,并且此问题已解决!
Now the cookie on domain yourkeycloakhost is retrieved correctly by Internet Explorer, and the problem is fixed!
这篇关于Keycloak导致IE出现无限循环的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
