<div dir="ltr"><div>Hi, <br><br>Thank you for your answer. Sorry for my lake of knowledge in OAuth but speaking about generating a temporary token to include in the link, what kind of token do you mean and what is the best way to do that with Keycloak.<br><br></div>Best regards, Jérôme.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2014-12-15 16:49 GMT+01:00 Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span>:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
<br>
----- Original Message -----<br>
> From: "Jérôme Blanchard" <<a href="mailto:jayblanc@gmail.com">jayblanc@gmail.com</a>><br>
> To: <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> Sent: Monday, 15 December, 2014 3:13:06 PM<br>
> Subject: [keycloak-user] HTML5/JS and download URL.<br>
><br>
> Hi all,<br>
> We have a use case where an HTML5/Angular application is calling a REST<br>
> interface using keycloak for authentication SSO. Everything works fine until<br>
> we need to download files or preview images (using <img> tag). In both case,<br>
> this is the browser which perform the request on the REST url and, because<br>
> of a specific XHR authentication putting the bearer token in the headers, a<br>
> 'classic' browser request for downloading a file result in an<br>
> UNauthenticated request because of unexisting bearer token.<br>
><br>
> We're minding if there is a best practice to handle this case. We plan to<br>
> include a dedicated token as a download request parameter and to check this<br>
> particular query paramter programmatically in the /download JAX-RS<br>
> operation. What kind of token should have to put in the query and is there<br>
> an already existing mechanism to catch such token in jax-rs server-side<br>
> operations nor programmatically ?<br>
<br>
</div></div>We actually had the same issue in our admin console as we provide a download option for the application config. AFAIK there's two solutions:<br>
<br>
* Generate a temporary token - basically what you're suggesting. There's two ways you can do this, always generate one and add it to the link, second is to use a redirect that only generates the token on demand<br>
* Use XHR to get the file, which allows setting the Authorization header, then use JavaScript to download<br>
<br>
There's currently no direct support for this in Keycloak, but it would be interesting to add.<br>
<span class=""><br>
><br>
> Thanks a lot for your support and so good work, Best Regards, Jérôme.<br>
><br>
</span>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote></div></div>