Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add shim for Web Crypto API to admin and account console #33480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jonkoops merged 1 commit into from
Oct 3, 2024
Merged

Add shim for Web Crypto API to admin and account console #33480

jonkoops merged 1 commit into from
Oct 3, 2024

Conversation

@jonkoops
Copy link
Contributor

@jonkoops jonkoops commented Oct 2, 2024
edited by ahus1
Loading

Closes #33330

Adds a shim for the Web Crypto API to admin and account console so they continue to work, even when being served from an non-secure context. This moves the polyfilling responsibility to Keycloak rather than Keycloak JS.

@jonkoops jonkoops requested review from a team as code owners October 2, 2024 14:43
edewit
edewit previously approved these changes Oct 2, 2024
View reviewed changes
@shawkins shawkins self-requested a review October 2, 2024 15:03
shawkins
shawkins previously approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@shawkins shawkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - we have similar logic to SecureContextResolver in SslRequired. SslRequired potentially does a DNS lookup to resolve the InetAddress. It might be good as a follow up to consolidate this logic - granted we'll probably be deprecating the SslRequired setting soon. cc @ahus1

@jonkoops
Copy link
Contributor Author

jonkoops commented Oct 2, 2024

It might be good as a follow up to consolidate this logic - granted we'll probably be deprecating the SslRequired setting soon.

Sounds logical to me, I am not familiar with this code, so I don't know how much overlap there is. Let's log an issue to follow up on it 👍

@jonkoops jonkoops requested a review from ahus1 October 2, 2024 15:12
douglaspalmer
douglaspalmer approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@douglaspalmer douglaspalmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@shawkins shawkins mentioned this pull request Oct 2, 2024
Closed
@shawkins
Copy link
Contributor

shawkins commented Oct 2, 2024

It might be good as a follow up to consolidate this logic - granted we'll probably be deprecating the SslRequired setting soon.

Sounds logical to me, I am not familiar with this code, so I don't know how much overlap there is. Let's log an issue to follow up on it 👍

Ok, added #33484

@jonkoops
Copy link
Contributor Author

jonkoops commented Oct 2, 2024

Looks like the tests are failing because HtmlUnit is once again too dumb to interpret even the most basic JavaScript syntax. Sigh. I'll do some work to turn it into a caveman version.

@jonkoops jonkoops added the status/hold PR should not be merged. On hold for later. label Oct 2, 2024
@jonkoops jonkoops dismissed stale reviews from shawkins and edewit via 57c4027 October 2, 2024 15:27
This was referenced Oct 2, 2024
Closed
Closed
keycloak-github-bot[bot]

This comment was marked as outdated.

Sign in to view

@keycloak-github-bot

This comment was marked as outdated.

Sign in to view
@jonkoops
Copy link
Contributor Author

jonkoops commented Oct 2, 2024

Ok, should be fixed now. @edewit @shawkins @douglaspalmer can I ask you for another review?

douglaspalmer
douglaspalmer approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@douglaspalmer douglaspalmer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

shawkins
shawkins previously approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@shawkins shawkins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ahus1
ahus1 previously approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm approving it as it solves the problem at hand. The warning message "Keycloak JS should only be used in a secure context" could be more specific. It doesn't contain any why, the "secure context" is a bit a vague as it requires the crypto API, and "should" is also off as it requires the crypto API (unless someone uses a shim, which is not mentioned here).

As the log message is normally not shown (only if you enable logging for the JS library), I would be ok to continue as is for the sake of KC26.

One small wording in the upgrading guide. Might be worth adding it to the release notes as well.

@keycloak-github-bot keycloak-github-bot bot mentioned this pull request Oct 2, 2024
Closed
This was referenced Oct 2, 2024
Closed
Closed
keycloak-github-bot[bot]

This comment was marked as off-topic.

Sign in to view

@keycloak-github-bot

This comment was marked as off-topic.

Sign in to view
@jonkoops jonkoops dismissed stale reviews from ahus1 and shawkins via f42ca0c October 2, 2024 17:03
ahus1
ahus1 approved these changes Oct 2, 2024
View reviewed changes
Copy link
Contributor

@ahus1 ahus1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for updating the release notes.

Approving with the same comment as before: "I'm approving it as it solves the problem at hand. The warning message "Keycloak JS should only be used in a secure context" could be more specific. It doesn't contain any why, the "secure context" is a bit a vague as it requires the crypto API, and "should" is also off as it requires the crypto API (unless someone uses a shim, which is not mentioned here).
As the log message is normally not shown (only if you enable logging for the JS library), I would be ok to continue as is for the sake of KC26."

@jonkoops
Copy link
Contributor Author

jonkoops commented Oct 2, 2024
edited
Loading

Sorry I missed your comment @ahus1, let me reply here.

The warning message "Keycloak JS should only be used in a secure context" could be more specific. It doesn't contain any why, the "secure context" is a bit a vague as it requires the crypto API, and "should" is also off as it requires the crypto API (unless someone uses a shim, which is not mentioned here).

Agreed. The URL in the message explains that some APIs are not available in the browser if not in a secure context. But we could do a better job, but I think that will suffice for now.

This is not specifically about the Web Crypto API, but about a whole sub-set of APIs that are only available in a secure context that we might want make use of in the future. For example, the new cookie store APIs and possibly the FedCM API. Hence I don't want to advise the user to polyfill/shim this behaviour, as that could break in unexpected manners in the future.

The Web Crypto API is only used in PKCE flows (which is the default but can be opted out of), if it is not enabled the Web Crypto API is not used. Hence it is not a hard requirement in all scenarios.

This was referenced Oct 2, 2024
Closed
Closed
@jonkoops
Copy link
Contributor Author

jonkoops commented Oct 3, 2024

The Web Crypto API is only used in PKCE flows (which is the default but can be opted out of), if it is not enabled the Web Crypto API is not used. Hence it is not a hard requirement in all scenarios.

Upon closer inspection, we're also using the same API to generate UUIDs. We are however not using the appropriate crypto.randomUUID() method, but rather the crypto.getRandomValues() method as a seed to some custom logic. I'll make a follow up PR to improve this.

@jonkoops jonkoops mentioned this pull request Oct 3, 2024
Closed
@jonkoops jonkoops enabled auto-merge (squash) October 3, 2024 10:17
@jonkoops jonkoops merged commit aacdf80 into keycloak:main Oct 3, 2024
@keycloak-github-bot

This comment was marked as off-topic.

Sign in to view
keycloak-github-bot[bot]

This comment was marked as off-topic.

Sign in to view

@jonkoops jonkoops deleted the web-crypto-shim branch October 3, 2024 10:52
@mabartos mabartos mentioned this pull request Oct 3, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahus1 ahus1 ahus1 approved these changes

@shawkins shawkins shawkins left review comments

+3 more reviewers

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

@edewit edewit edewit approved these changes

@douglaspalmer douglaspalmer douglaspalmer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

flaky-test status/hold PR should not be merged. On hold for later. team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

"somethingWentWrong" when opening Keycloak URL in unsecure context

5 participants

@jonkoops @shawkins @edewit @douglaspalmer @ahus1