[keycloak-user] HTML5/JS and download URL.
stian at redhat.com
Wed Dec 17 03:05:17 EST 2014
----- Original Message -----
> From: "Jérôme Blanchard" <jayblanc at gmail.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 16 December, 2014 5:51:37 PM
> Subject: Re: [keycloak-user] HTML5/JS and download URL.
> Thank you for your answer. Sorry for my lake of knowledge in OAuth but
> speaking about generating a temporary token to include in the link, what
> kind of token do you mean and what is the best way to do that with Keycloak.
We don't have any support for this at the moment so you would have to make it yourself. With regards to token all I mean is a something temporary that allows the server to verify the user has permissions to download the file.
For example the token could be the base64 encoded signature (hmac, rsa or whatever you'd like) of userid, timestamp/expiration and file-url. That way the server can simply verify the signature on the server-side when the user is trying to download the file and check that it matches.
> Best regards, Jérôme.
> 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
> > ----- Original Message -----
> > > From: "Jérôme Blanchard" <jayblanc at gmail.com>
> > > To: keycloak-user at lists.jboss.org
> > > Sent: Monday, 15 December, 2014 3:13:06 PM
> > > Subject: [keycloak-user] HTML5/JS and download URL.
> > >
> > > Hi all,
> > > We have a use case where an HTML5/Angular application is calling a REST
> > > interface using keycloak for authentication SSO. Everything works fine
> > until
> > > we need to download files or preview images (using <img> tag). In both
> > case,
> > > this is the browser which perform the request on the REST url and,
> > because
> > > of a specific XHR authentication putting the bearer token in the
> > headers, a
> > > 'classic' browser request for downloading a file result in an
> > > UNauthenticated request because of unexisting bearer token.
> > >
> > > We're minding if there is a best practice to handle this case. We plan to
> > > include a dedicated token as a download request parameter and to check
> > this
> > > particular query paramter programmatically in the /download JAX-RS
> > > operation. What kind of token should have to put in the query and is
> > there
> > > an already existing mechanism to catch such token in jax-rs server-side
> > > operations nor programmatically ?
> > We actually had the same issue in our admin console as we provide a
> > download option for the application config. AFAIK there's two solutions:
> > * Generate a temporary token - basically what you're suggesting. There's
> > two ways you can do this, always generate one and add it to the link,
> > second is to use a redirect that only generates the token on demand
> > * Use XHR to get the file, which allows setting the Authorization header,
> > There's currently no direct support for this in Keycloak, but it would be
> > interesting to add.
> > >
> > > Thanks a lot for your support and so good work, Best Regards, Jérôme.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user