Keycloak-angular: Keycloak-Angular try to open /account after login / requesting a token

Created on 18 Jun 2018  路  13Comments  路  Source: mauriciovigolo/keycloak-angular

Bug Report or Feature Request (mark with an x)

- [x] bug report -> please search for issues before submitting
- [ ] feature request

Versions.

Repro steps.

Just set up a new angular project (version 6) and follow the stepps mentioned to get keycloak-angular running. Followed the tutorial at https://www.npmjs.com/package/keycloak-angular

The log given by the failure.

My public client ist able to request a token, but also make a request to the keycloak path /account where i have no access to.

Cause of this my app does not start.

This behaviour is tested in Angular 5/6 with both versions of the keycloak angular-module.

Enhancement

Most helpful comment

Did this make its way back into 5.1.0? I am using 5.1.0, and noticing the call to /account. I would prefer that be removed, because than any public client would need to be registered with the the account client.

All 13 comments

@SimonLau2017, to support you I need more details about your project, ideally a project example would be better. Did you try the examples provided by the library? A good kickstart is keycloak-heroes.

Unfortunately, I am not allowed to upload my project (due to company policy).

But the problem also came up after the following steps:

  • create new angular project (latest version) with CLI.
  • install keycloak-angular as described in the tutorial.
    After that happens:
  • When loading from http: // localhost: 4200 the display of the identity provider takes place.
  • Login is successful
  • Token is transferred
  • App tries to open the path / accounts
  • This fails because there is no authorization for / account
  • App is not loading

@SimonLau2017, what flow are you using? I need some details about your config, init parameters.
Also, did you setup the view_account role to the app's clientId at your keycloak server?

Just saw this one in the tutorial:

When requesting the method to get the User's Profile, the client app should have the scope and access to the account view-profile role. To do it, access Clients 鉃★笍 My-app 鉃★笍 Scope. Select the account app in Client Roles and assign the view-profile role.

As mentioned, i have no access to the accounts. Is it possible to disable this function, cause it seem to be executed while init().

i want to use the Authorization Code Flow.

So i have created a new angular project. The .zip contains the changed files which are: app.module.ts, app-init.ts and authGuard.ts

Angular version 5.2.11
Keyvloak-angular version 1.3.x
Keycloak server version 3.2.1

As mentioned above, my client or user has no access to /account

I removed the actual kc server address from app-init.ts

files.zip

When i open the app, login is possible, after that the following console output appear:

https://xx.net/auth/realms/MyRealm/account 403 (Forbidden)

@SimonLau2017, thanks for sharing a project with your situation. At this time you have to setup the view_account role from the accounts app to get the user info. The library is expecting that this data is something that is needed by most of webapps, so after the keycloak instance initialization, the user profile is loaded.
Some time ago, there was a request from another user to remove this load at the beginning. I'm thinking to change this behavior, since there are more users with the same scenario. So I will plan this change, maybe in the coming release.

Thanks a lot for your quick help.

Unfortunately I am not in the position to change the settings of the server.

Do you know maybe another module which I can use, that does not require this setting?

As far as I know, the roles are transferred in the access token. Since I do not need the roles at all, I do not know exactly.

As far as I could see from the Keycloak documentation, one should get the roles via /userinfo.

Have a nice day. Best regards.

The bearer is a JWT and it includes the user roles. I understand that your requirement is only authentication using the oauth2 flow, so removing any calls from the getUserProfile should be enough and won't require roles from the accounts client.
The next release is coming this week, on friday. I could bundle this feature, but I need to test it and check the impacts. Another option could be using the keycloak-js library directly. There are another libraries for angular&keycloak available to help, but I still believe that is better to use something official from the keycloak project - thinking about security and better support for new versions from both server and js adapter. These are the reasons this library is a wrapper to keycloak-js.

Hello Mauricio,

I'm curious. Will the new version actually be released today?

Thank you very much for your efforts.

@SimonLau2017, I still have some issues to work on. I will try, otherwise it will probably be released on this weekend or on Monday.

@SimonLau2017. Versions 1.4.1, 2.0.2, 3.0.2 and 4.0.0 of keycloak-angular, includes this enhancement. I added a flag so you can set it to false if your app should not initialize and load the user profile. Thanks!

works pretty nice on the first look :)

Thank you very much!

Did this make its way back into 5.1.0? I am using 5.1.0, and noticing the call to /account. I would prefer that be removed, because than any public client would need to be registered with the the account client.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

its-vincesanity picture its-vincesanity  路  4Comments

pahlers picture pahlers  路  3Comments

unib1t picture unib1t  路  4Comments

Wassim24 picture Wassim24  路  4Comments

arratejasvi picture arratejasvi  路  4Comments