[keycloak-user] WebSockets

Marek Posolda mposolda at redhat.com
Wed Aug 5 04:51:12 EDT 2015 

It looks it's possible to add query parameters in Javscript Websocket 
client. But ATM our adapter supports authenticating requests where the 
token is sent only in "Authorization: Bearer" header. Maybe adding 
support for authentication tokens from query parameter is something we 
can support for adapters though (if someone has valid usecase for it)

Marek

On 5.8.2015 10:47, Marek Posolda wrote:
> There is also another example 
> https://github.com/secondsun/wildfly-secured-websocket , where client 
> is javascript application . It's based on web.xml security and the 
> client and server are both in same web application. Unfortunately I 
> don't know if it can work if client and server are in different 
> applications, as it seems that there is no way for add additional HTTP 
> headers on client in javascript websockets API (at least according to 
> http://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api 
> ). So adding "Authorization: Bearer" looks like a challenge here.
>
> Marek
>
> On 5.8.2015 09:54, pslegr wrote:
>> Hello Juraci,
>>
>> maybe other Keycloak core devs might have having other recommendations,
>> never-less I've put up an example for our project
>> https://github.com/pslegr/pnc/commit/873e875d657215890b9b9aafe93b2138ae946ec5
>> which uses Keycloak to secure the WS endpoint.
>> The point is to intercept the initial HttpRequest and add an 
>> AuthorizationHeader
>> into this one.
>>
>> ...
>>          List<String> authHeader = new ArrayList<String>();
>>          authHeader.add("Bearer " + authenticate());
>>          headers.put("Authorization", authHeader);
>>
>> ...
>>
>> This is done before protocol upgrade into WS/WSS.
>>
>> I don't see any other way doing this so far....
>>
>> regards
>> Pavel
>>
>> On 4.8.2015 16:44, Juraci Paixão Kröhling wrote:
>>> I'm currently looking into the best way to perform authentication for
>>> WebSockets, and it seems that the best (only?) option so far is to
>>> handle this on the socket's endpoint itself.
>>>
>>> But before I start with some library for the other Hawkular components
>>> to consume, I'd like to ask if there's a best practices/recommendations
>>> for doing WebSocket authentication with Keycloak.
>>>
>>> My plan right now is to require the endpoints to inject a service that
>>> would accept a message and session, closing the session on this service
>>> if the login data is not provided (login data == token, send on the
>>> first message, at least at first).
>>>
>>> Ideas/thoughts?
>>>
>>> - Juca.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150805/83c25934/attachment-0001.html

More information about the keycloak-user mailing list