[keycloak-user] HTML5/JS and download URL.

Jérôme Blanchard jayblanc at gmail.com
Tue Dec 16 11:51:37 EST 2014 

Hi,

Thank you for your answer. Sorry for my lake of knowledge in OAuth but
speaking about generating a temporary token to include in the link, what
kind of token do you mean and what is the best way to do that with Keycloak.

Best regards, Jérôme.

2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
>
>
>
> ----- Original Message -----
> > From: "Jérôme Blanchard" <jayblanc at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Sent: Monday, 15 December, 2014 3:13:06 PM
> > Subject: [keycloak-user] HTML5/JS and download URL.
> >
> > Hi all,
> > We have a use case where an HTML5/Angular application is calling a REST
> > interface using keycloak for authentication SSO. Everything works fine
> until
> > we need to download files or preview images (using <img> tag). In both
> case,
> > this is the browser which perform the request on the REST url and,
> because
> > of a specific XHR authentication putting the bearer token in the
> headers, a
> > 'classic' browser request for downloading a file result in an
> > UNauthenticated request because of unexisting bearer token.
> >
> > We're minding if there is a best practice to handle this case. We plan to
> > include a dedicated token as a download request parameter and to check
> this
> > particular query paramter programmatically in the /download JAX-RS
> > operation. What kind of token should have to put in the query and is
> there
> > an already existing mechanism to catch such token in jax-rs server-side
> > operations nor programmatically ?
>
> We actually had the same issue in our admin console as we provide a
> download option for the application config. AFAIK there's two solutions:
>
> * Generate a temporary token - basically what you're suggesting. There's
> two ways you can do this, always generate one and add it to the link,
> second is to use a redirect that only generates the token on demand
> * Use XHR to get the file, which allows setting the Authorization header,
> then use JavaScript to download
>
> There's currently no direct support for this in Keycloak, but it would be
> interesting to add.
>
> >
> > Thanks a lot for your support and so good work, Best Regards, Jérôme.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141216/4e6f7247/attachment.html

More information about the keycloak-user mailing list