[keycloak-user] Undertow Bearer Token in Cookie

Jérôme Blanchard jayblanc at gmail.com
Thu Dec 18 12:07:18 EST 2014 

Hi all,

Is it possible to configure the servlet adapter to check presence of a
bearer token in a cookie instead of in a header ?
This question is about the download file usecase. If the bearer token will
be placed in a cookie by the javascript client at the same time settnig the
header, his will ensure that this cookie will be sent by the navigator in
the case of a download file or a <img> tag that would happen outside of a
XHR.

Thanks, Best Regards, Jérôme.

Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <jayblanc at gmail.com> a
écrit :

> Hi Stian,
>
> Thanks for your precisions, we have choose to implement the solution of a
> time based password.
> Using a ServletFilter and the Servlet 3.0 HttpRequest.login() feature
> we're able to intercept token from query parameter and propagate it to the
> JAAS stack. A dedicated LoginModule validate this token to enforce
> principal in the EJB SecurityContext and, according to this, our custom
> authorisation system is used ASIS without the need to create a hook in the
> download operation.
> This solution give the advantage to not interfer with the classic OAuth
> authentication in case of using a XHR Header nor a RESTClient that
> programmatically include the bearer token in the request header.
>
> Thanks a lot for your support, Best Regards, Jérôme.
>
>
>
> Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <stian at redhat.com> a
> écrit :
>
>
>>
>> ----- Original Message -----
>> > From: "Jérôme Blanchard" <jayblanc at gmail.com>
>> > To: "Stian Thorgersen" <stian at redhat.com>
>> > Cc: keycloak-user at lists.jboss.org
>> > Sent: Tuesday, 16 December, 2014 5:51:37 PM
>> > Subject: Re: [keycloak-user] HTML5/JS and download URL.
>> >
>> > Hi,
>> >
>> > Thank you for your answer. Sorry for my lake of knowledge in OAuth but
>> > speaking about generating a temporary token to include in the link, what
>> > kind of token do you mean and what is the best way to do that with
>> Keycloak.
>>
>> We don't have any support for this at the moment so you would have to
>> make it yourself. With regards to token all I mean is a something temporary
>> that allows the server to verify the user has permissions to download the
>> file.
>>
>> For example the token could be the base64 encoded signature (hmac, rsa or
>> whatever you'd like) of userid, timestamp/expiration and file-url. That way
>> the server can simply verify the signature on the server-side when the user
>> is trying to download the file and check that it matches.
>>
>> >
>> > Best regards, Jérôme.
>> >
>> > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian at redhat.com>:
>> > >
>> > >
>> > >
>> > > ----- Original Message -----
>> > > > From: "Jérôme Blanchard" <jayblanc at gmail.com>
>> > > > To: keycloak-user at lists.jboss.org
>> > > > Sent: Monday, 15 December, 2014 3:13:06 PM
>> > > > Subject: [keycloak-user] HTML5/JS and download URL.
>> > > >
>> > > > Hi all,
>> > > > We have a use case where an HTML5/Angular application is calling a
>> REST
>> > > > interface using keycloak for authentication SSO. Everything works
>> fine
>> > > until
>> > > > we need to download files or preview images (using <img> tag). In
>> both
>> > > case,
>> > > > this is the browser which perform the request on the REST url and,
>> > > because
>> > > > of a specific XHR authentication putting the bearer token in the
>> > > headers, a
>> > > > 'classic' browser request for downloading a file result in an
>> > > > UNauthenticated request because of unexisting bearer token.
>> > > >
>> > > > We're minding if there is a best practice to handle this case. We
>> plan to
>> > > > include a dedicated token as a download request parameter and to
>> check
>> > > this
>> > > > particular query paramter programmatically in the /download JAX-RS
>> > > > operation. What kind of token should have to put in the query and is
>> > > there
>> > > > an already existing mechanism to catch such token in jax-rs
>> server-side
>> > > > operations nor programmatically ?
>> > >
>> > > We actually had the same issue in our admin console as we provide a
>> > > download option for the application config. AFAIK there's two
>> solutions:
>> > >
>> > > * Generate a temporary token - basically what you're suggesting.
>> There's
>> > > two ways you can do this, always generate one and add it to the link,
>> > > second is to use a redirect that only generates the token on demand
>> > > * Use XHR to get the file, which allows setting the Authorization
>> header,
>> > > then use JavaScript to download
>> > >
>> > > There's currently no direct support for this in Keycloak, but it
>> would be
>> > > interesting to add.
>> > >
>> > > >
>> > > > Thanks a lot for your support and so good work, Best Regards,
>> Jérôme.
>> > > >
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user at lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20141218/56a153f1/attachment-0001.html

More information about the keycloak-user mailing list