[keycloak-dev] Support rfc6750 Form-Encoded Body Parameter for access tokens in Keycloak

Marek Posolda mposolda at redhat.com
Tue May 2 06:45:25 EDT 2017

Feel free to create JIRA for this and also send PR.

Maybe it is as simple as refactor QueryParamterTokenRequestAuthenticator 
to use "exchange.getRequest().getFirstParamValue(ACCESS_TOKEN)" instead 
of "exchange.getRequest().getQueryParamValue(ACCESS_TOKEN)" (the former 
would handle both query and form parameters), but not 100% sure. Also 
for the PR, we would need the test too.

Btv. the JIRA were the query parameter support was added was 
https://issues.jboss.org/browse/KEYCLOAK-1733 .


On 28/04/17 16:30, Alexander Schwartz wrote:
> Hi Keycloak Developers,
> RFC6750 allows the access token to be submitted as part of a POST
> request. I found that this is the only good way to do file downloads in
> a JavaScript frontend.
> https://tools.ietf.org/html/rfc6750#section-2.1
> Excerpt: When sending the access token in the HTTP request entity-body,
> client adds the access token to the request-body using the
> "access_token" parameter. [...] Resource servers MAY support this method.
> I don't remember a thread on this mailing list. The only place I could
> find in the code was the User Endpoint that does this quite manually.
> Currently Keycloak only supports the query parameter using
> QueryParamterTokenRequestAuthenticator. A similar class will be needed
> to support a Form Parameter. Like the
> QueryParamterTokenRequestAuthenticator it will be part of the request
> processing and it will not be configurable.
> I'd like to open a JIRA issue for this as part of the Java Keycloak
> Clients to track the efforts and thoughts.
> Comments welcome!
> Regards,
> Alexander

More information about the keycloak-dev mailing list