[keycloak-user] Load bearer-only app resource to iframe

Tair Sabirgaliev tair.sabirgaliev at bee.kz
Thu Jun 18 17:06:35 EDT 2015 


On 6/19/15 02:52, Bill Burke wrote:
> Yeah, sorry, that was a stupid response to your question by me...I 
> wasn't thinking....
> 
> Yeah, you're screwed. :)  There is no way around it. I guess the adapter 
> could set a cookie on bearer-only requests like it does for auth-code 
> requests and then authenticate via the cookie next time around, but then 
> you are vulnerable to CSRF attacks.

Got this one:
https://developer.mozilla.org/en-US/docs/Using_files_from_web_applications#Example.3A_Using_object_URLs_to_display_PDF

Didn't try yet, but looks promising.

The idea is to load the resource with XHR and render it in iframe using
Object URLs.

> 
> On 6/18/2015 4:45 PM, Tair Sabirgaliev wrote:
>>
>>
>> On 6/19/15 02:21, Bill Burke wrote:
>>> invoke the rest service via XHR , then render the <iframe>?
>>
>> The problem is when iframe tries to download its contents, keycloak
>> adapter doesn't let it through. I assume this is because iframe doesn't
>> sent Authorization header.
>>
>>>
>>> On 6/18/2015 3:44 PM, Tair Sabirgaliev wrote:
>>>> Any idea on this?
>>>>
>>>> --
>>>> Tair Sabirgaliev
>>>> Bee Software, LLP
>>>>
>>>> On June 11, 2015 at 20:41:25, Tair Sabirgaliev (tair.sabirgaliev at bee.kz
>>>> <mailto:tair.sabirgaliev at bee.kz>) wrote:
>>>>
>>>>> Hi!
>>>>>
>>>>> I have a REST resource /rest/some/pdf in bearer-only application. The
>>>>> client app uses angular, I have setup it according to keycloak demos.
>>>>> On my angular page i have an <iframe src=“/rest/some/pdf”….>. I can’t
>>>>> pass auth headers to iframe url. What is the right thing to do here?
>>>>>
>>>>> Thank you!
>>>>>
>>>>>
>>>>> --
>>>>> Tair Sabirgaliev
>>>>> Bee Software, LLP
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list