[keycloak-user] WebSockets

Marek Posolda mposolda at redhat.com
Wed Aug 5 07:52:43 EDT 2015 

On 5.8.2015 11:49, Juraci Paixão Kröhling wrote:
> Thanks for the comments! In our case, we'd need a 
> "standards-compliant" WebSockets authentication, in the sense that we 
> cannot depend on clients adding HTTP Headers (for instance). At first, 
> I think our main client will be a Java agent, so, we _could_ add extra 
> HTTP Headers, but our main API would be available for other developers 
> to make their own agents.
>
> From what I've read, even messing with the protocol part of the 
> connection could be seen as a violation of the spec, but it's a grey 
> area (people *are* actually doing it).
>
> The remaining "generic" option seems to indeed be adding the 
> token/user+pass details to the URL.
>
> After that, the only solution is to do it as part of the application 
> protocol itself: either each message comes with a token that is 
> validated as the first step in processing the message (a-la 
> request-based authentication), or from time to time, or even just at 
> the beginning of the connection (which is problematic, as the user 
> might logout and the socket would not "notice" it).
Doing at the beginning of the connection might be easy. We may just need 
to add support to adapters for authentication via bearer token sent in 
URL query parameter or in the POST body. There is also specs for it 
http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param 
. Not sure if adapters should support it by default or just on demand as 
there are some security implications when access token is sent in URI as 
mentioned in the specs.

Not sure about request-based authentication, I don't know much about 
websockets TBH so not sure what would be required to support this.

Marek

>
> - Juca.
>
>
> On 08/05/2015 10:51 AM, Marek Posolda wrote:
>> It looks it's possible to add query parameters in Javscript Websocket
>> client. But ATM our adapter supports authenticating requests where the
>> token is sent only in "Authorization: Bearer" header. Maybe adding
>> support for authentication tokens from query parameter is something we
>> can support for adapters though (if someone has valid usecase for it)
>>
>> Marek
>>
>> On 5.8.2015 10:47, Marek Posolda wrote:
>>> There is also another example
>>> https://github.com/secondsun/wildfly-secured-websocket , where client
>>> is javascript application . It's based on web.xml security and the
>>> client and server are both in same web application. Unfortunately I
>>> don't know if it can work if client and server are in different
>>> applications, as it seems that there is no way for add additional HTTP
>>> headers on client in javascript websockets API (at least according to
>>> http://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api 
>>>
>>> ). So adding "Authorization: Bearer" looks like a challenge here.
>>>
>>> Marek
>>>
>>> On 5.8.2015 09:54, pslegr wrote:
>>>> Hello Juraci,
>>>>
>>>> maybe other Keycloak core devs might have having other 
>>>> recommendations,
>>>> never-less I've put up an example for our project
>>>> https://github.com/pslegr/pnc/commit/873e875d657215890b9b9aafe93b2138ae946ec5 
>>>>
>>>> which uses Keycloak to secure the WS endpoint.
>>>> The point is to intercept the initial HttpRequest and add an
>>>> AuthorizationHeader
>>>> into this one.
>>>>
>>>> ...
>>>>          List<String> authHeader = new ArrayList<String>();
>>>>          authHeader.add("Bearer " + authenticate());
>>>>          headers.put("Authorization", authHeader);
>>>>
>>>> ...
>>>>
>>>> This is done before protocol upgrade into WS/WSS.
>>>>
>>>> I don't see any other way doing this so far....
>>>>
>>>> regards
>>>> Pavel
>>>>
>>>> On 4.8.2015 16:44, Juraci Paixão Kröhling wrote:
>>>>> I'm currently looking into the best way to perform authentication for
>>>>> WebSockets, and it seems that the best (only?) option so far is to
>>>>> handle this on the socket's endpoint itself.
>>>>>
>>>>> But before I start with some library for the other Hawkular 
>>>>> components
>>>>> to consume, I'd like to ask if there's a best 
>>>>> practices/recommendations
>>>>> for doing WebSocket authentication with Keycloak.
>>>>>
>>>>> My plan right now is to require the endpoints to inject a service 
>>>>> that
>>>>> would accept a message and session, closing the session on this 
>>>>> service
>>>>> if the login data is not provided (login data == token, send on the
>>>>> first message, at least at first).
>>>>>
>>>>> Ideas/thoughts?
>>>>>
>>>>> - Juca.
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

More information about the keycloak-user mailing list