From aaa33ad883e707b6e90792fb6c29a4712463ce21 Mon Sep 17 00:00:00 2001 From: stianst Date: Fri, 5 Oct 2018 14:47:13 +0200 Subject: [PATCH] KEYCLOAK-8509 Improvements to session iframe --- .../oidc/js/src/main/resources/keycloak.js | 56 ++++++++++++------- .../main/resources/login-status-iframe.html | 36 +++++++----- .../endpoints/LoginStatusIframeEndpoint.java | 2 +- 3 files changed, 57 insertions(+), 37 deletions(-) diff --git a/adapters/oidc/js/src/main/resources/keycloak.js b/adapters/oidc/js/src/main/resources/keycloak.js index 08f8040c1f..9a11b8c13c 100755 --- a/adapters/oidc/js/src/main/resources/keycloak.js +++ b/adapters/oidc/js/src/main/resources/keycloak.js @@ -154,10 +154,14 @@ case 'check-sso': if (loginIframe.enable) { setupCheckLoginIframe().success(function() { - checkLoginIframe().success(function () { - doLogin(false); + checkLoginIframe().success(function (unchanged) { + if (!unchanged) { + doLogin(false); + } else { + initPromise.setSuccess(); + } }).error(function () { - initPromise.setSuccess(); + initPromise.setError(); }); }); } else { @@ -191,12 +195,16 @@ if (loginIframe.enable) { setupCheckLoginIframe().success(function() { - checkLoginIframe().success(function () { - kc.onAuthSuccess && kc.onAuthSuccess(); - initPromise.setSuccess(); + checkLoginIframe().success(function (unchanged) { + if (unchanged) { + kc.onAuthSuccess && kc.onAuthSuccess(); + initPromise.setSuccess(); + scheduleCheckIframe(); + } else { + initPromise.setSuccess(); + } }).error(function () { - setToken(null, null, null); - initPromise.setSuccess(); + initPromise.setError(); }); }); } else { @@ -593,6 +601,7 @@ var tokenResponse = JSON.parse(req.responseText); authSuccess(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], kc.flow === 'standard'); + scheduleCheckIframe(); } else { kc.onAuthError && kc.onAuthError(); promise && promise.setError(); @@ -1076,8 +1085,6 @@ loginIframe.iframeOrigin = authUrl.substring(0, authUrl.indexOf('/', 8)); } promise.setSuccess(); - - setTimeout(check, loginIframe.interval * 1000); } var src = kc.endpoints.checkSessionIframe(); @@ -1104,31 +1111,38 @@ for (var i = callbacks.length - 1; i >= 0; --i) { var promise = callbacks[i]; - if (event.data == 'unchanged') { - promise.setSuccess(); - } else { + if (event.data == 'error') { promise.setError(); + } else { + promise.setSuccess(event.data == 'unchanged'); } } }; window.addEventListener('message', messageCallback, false); - var check = function() { - checkLoginIframe(); - if (kc.token) { - setTimeout(check, loginIframe.interval * 1000); - } - }; - return promise.promise; } + function scheduleCheckIframe() { + if (loginIframe.enable) { + if (kc.token) { + setTimeout(function() { + checkLoginIframe().success(function(unchanged) { + if (unchanged) { + scheduleCheckIframe(); + } + }); + }, loginIframe.interval * 1000); + } + } + } + function checkLoginIframe() { var promise = createPromise(true); if (loginIframe.iframe && loginIframe.iframeOrigin ) { - var msg = kc.clientId + ' ' + kc.sessionId; + var msg = kc.clientId + ' ' + (kc.sessionId ? kc.sessionId : ''); loginIframe.callbackList.push(promise); var origin = loginIframe.iframeOrigin; if (loginIframe.callbackList.length == 1) { diff --git a/adapters/oidc/js/src/main/resources/login-status-iframe.html b/adapters/oidc/js/src/main/resources/login-status-iframe.html index e848dd60e9..30e30d882b 100755 --- a/adapters/oidc/js/src/main/resources/login-status-iframe.html +++ b/adapters/oidc/js/src/main/resources/login-status-iframe.html @@ -23,9 +23,20 @@ function checkState(clientId, origin, sessionState, callback) { var cookie = getCookie(); - if (!cookie) { - callback('changed'); - } else if (!init) { + var checkCookie = function() { + if (clientId === init.clientId && origin === init.origin) { + var c = cookie.split('/'); + if (sessionState === c[2]) { + callback('unchanged'); + } else { + callback('changed'); + } + } else { + callback('error'); + } + } + + if (!init) { var req = new XMLHttpRequest(); var url = location.href.split("?")[0] + "/init"; @@ -41,9 +52,7 @@ clientId: clientId, origin: origin } - callback('unchanged'); - } else if (req.status === 404) { - callback('changed'); + checkCookie(); } else { callback('error'); } @@ -51,17 +60,14 @@ }; req.send(); - } else { - if (clientId === init.clientId && origin === init.origin) { - var c = cookie.split('/'); - if (sessionState === c[2]) { - callback('unchanged'); - } else { - callback('changed'); - } + } else if (!cookie) { + if (sessionState != '') { + callback('changed'); } else { - callback('error'); + callback('unchanged'); } + } else { + checkCookie(); } } diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java index a478169701..ce3e36a51b 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java @@ -76,7 +76,7 @@ public class LoginStatusIframeEndpoint { UriInfo uriInfo = session.getContext().getUri(); RealmModel realm = session.getContext().getRealm(); ClientModel client = session.realms().getClientByClientId(clientId, realm); - if (client != null) { + if (client != null && client.isEnabled()) { Set validWebOrigins = WebOriginsUtils.resolveValidWebOrigins(uriInfo, client); validWebOrigins.add(UriUtils.getOrigin(uriInfo.getRequestUri())); if (validWebOrigins.contains("*") || validWebOrigins.contains(origin)) {