This repository was archived by the owner on Mar 25, 2021. It is now read-only.
See if this version works in 2021 #57
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
refresh claims only when not in bearer mode
… DisableIssuerSigningKeyValidation
…ne time zone into (utc -1:00), this issue appears because there is bug in KeycloakOwinAuthentication project and the bug has been reported to project developer. you can solve the problem by editing the method "GetClaimsAsync" in "KeycloakIdentity.cs" file to compare current datetime in (UTC-1) zone. Code posted by https://stackoverflow.com/users/2311455/mohammad-alghanem
…nt any longer... I have seen references to introspection if we want to add this back in at some point.
…ne time zone into (utc -1:00), this issue appears because there is bug in KeycloakOwinAuthentication project and the bug has been reported to project developer. you can solve the problem by editing the method "GetClaimsAsync" in "KeycloakIdentity.cs" file to compare current datetime in (UTC-1) zone. Code posted by https://stackoverflow.com/users/2311455/mohammad-alghanem
…nt any longer... I have seen references to introspection if we want to add this back in at some point.
… package for both assemblies.
# Conflicts: # src/Keycloak.IdentityModel/Utilities/OidcDataManager.cs # src/KeycloakIdentityModel/Constants.cs # src/KeycloakIdentityModel/KeycloakIdentity.cs # src/KeycloakIdentityModel/Utilities/KeycloakTokenHandler.cs # src/KeycloakIdentityModel/packages.config
In the SignInAsAuthentication() method in KeycloakAuthenticationHandler class, the method returned immediately if signInAuthType was equal to Options.AuthenticationType. I think this is a bug? Changing: if (signInAuthType == Options.AuthenticationType) return; To: if (!string.IsNullOrWhiteSpace(signInAuthType) && !signInAuthType.Equals(Options.AuthenticationType, StringComparison.OrdinalIgnoreCase)) return;
Client secret is not used by authorization endpoint, and the client secret should not be visible to user in the browser.
* Fix: Token expired at login Fixes unnecessary refresh token call directly after login * Fix tabs
…#9) * FIX: New option to disable validation of signature in Refresh token Keycloak server 4.5 changed encryption algorithm for Refresh tokens that the library fails to decrypt. Setting new option DisableRefreshTokenSignatureValidation to true will disable the signature validation only of Refresh tokens. Content in refresh token should not be used by the client application. Ref: https://issues.jboss.org/browse/KEYCLOAK-4622 * Fix tabs
#12) Adds an optional configuration option AuthResponseErrorRedirectUrl that defines an URL to redirect to if Keycloak auth fails during login. If Keycloak server fails during login, it'll redirect back to calling application (that uses this library) with information in query parameter "error" (and optionally "errordescription" and "erroruri") instead of "code". Previous implementation throwed an ArgumentException in this case. If the new configuration option is not used (default), an Exception still be thrown (with additional "error" information from Keycloak)
Introducing new option DisableAllRefreshTokenValidation (default false) to disable ALL validation on Refresh tokens. In Keycloak server somewhere between v4.6-4.8, it was decided that the contents of the "aud" claim in Refresh tokens to contain the Keycloak Realm URL instead of the Keycloak ClientId. This lead to an issue with this library that validates the "aud" claim in Refresh tokens to contain the ClientId. Setting this option to true will disable ALL validation of Refresh tokens (but keep validation for ID/Access token). As the application should not use the contents of the Refresh tokens, and only send it back to the Keycloak server (which will validate it), it should be safe to disable it. This option overrides and can be used instead of DisableRefreshTokenSignatureValidation.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See if this version works in 2021