0

I am working on an app in Angular 14 that requires authentication/authorization, reason for witch I use Keycloak Angular .

As per the instructions, I have first installed Keycloak Angular with:

npm install keycloak-angular keycloak-js

Then in fe\src\app\app.module.ts:

import { APP_INITIALIZER, NgModule } from '@angular/core';
import { KeycloakAngularModule, KeycloakService } from 'keycloak-angular';
import { BrowserModule } from '@angular/platform-browser';
import { AppRoutingModule } from './app-routing.module';
import { BrowserAnimationsModule } from '@angular/platform-browser/animations';
import { MaterialModule } from './shared/material.module';
import { FlexLayoutModule } from '@angular/flex-layout';

// Components
import { ErrorsComponent } from './shared/error.component';
import { AppComponent } from './app.component';

function initializeKeycloak(keycloak: KeycloakService) {
  return () =>
    keycloak.init({
      config: {
        url: 'http://localhost:8080/auth',
        realm: 'demo',
        clientId: 'my-app'
      },
      initOptions: {
        onLoad: 'check-sso',
        silentCheckSsoRedirectUri:
          window.location.origin + '/assets/silent-check-sso.html'
      }
    });
}
@NgModule({
  declarations: [
    ErrorsComponent,
    AppComponent
  ],
  imports: [
    BrowserModule,
    AppRoutingModule,
    BrowserAnimationsModule,
    MaterialModule,
    FlexLayoutModule,
    KeycloakAngularModule
  ],
  exports: [],
  providers: [
    {
      provide: APP_INITIALIZER,
      useFactory: initializeKeycloak,
      multi: true,
      deps: [KeycloakService]
    }
  ],
  bootstrap: [AppComponent]
})
export class AppModule { }

I have also added silent-check-sso.html to the src\assets\ directory.

The problem

At http://localhost:4200/, I only see a blank page and the browser throws the error:

Refused to display 'http://localhost:8080/' in a frame because it set 'X-Frame-Options' to 'deny'.

Questions

  1. What is causing this error?
  2. What is the easiest and most reliable way to fix it?
Improve this question

1 Answer 1

Reset to default
2

This is due that Keycloak will prevent a website from including any login page within an iframe. This is to prevent clickjacking attacks.

To enable this just fallow this guide from keyclock documentation: https://www.keycloak.org/docs/15.0/server_admin/, just check after "Authorizing Iframes"

enter image description here

And also check if flags: checkLoginIframe is set to false.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Great, but is there any alternative to authorizing iframes?
It should be possible, as documentation shows us, there is an example for authoring goole.com for example. Hopefully this is working
Hey, i tried, pls check the comment. No worries!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.