Hi all, <div><br></div><div>Is it possible to configure the servlet adapter to check presence of a bearer token in a cookie instead of in a header ?</div><div>This question is about the download file usecase. If the bearer token will be placed in a cookie by the javascript client at the same time settnig the header, his will ensure that this cookie will be sent by the navigator in the case of a download file or a <img> tag that would happen outside of a XHR.</div><div><br></div><div>Thanks, Best Regards, Jérôme.<br><br><div class="gmail_quote">Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <<a href="mailto:jayblanc@gmail.com">jayblanc@gmail.com</a>> a écrit :<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Stian, <br><br><div>Thanks for your precisions, we have choose to implement the solution of a time based password. </div><div>Using a ServletFilter and the Servlet 3.0 HttpRequest.login() feature we're able to intercept token from query parameter and propagate it to the JAAS stack. A dedicated LoginModule validate this token to enforce principal in the EJB SecurityContext and, according to this, our custom authorisation system is used ASIS without the need to create a hook in the download operation. </div><div>This solution give the advantage to not interfer with the classic OAuth authentication in case of using a XHR Header nor a RESTClient that programmatically include the bearer token in the request header.</div><div><br></div><div>Thanks a lot for your support, Best Regards, Jérôme.</div><div><br></div><div><br></div><br><div class="gmail_quote">Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>> a écrit :</div><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
----- Original Message -----<br>
> From: "Jérôme Blanchard" <<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>><br>
> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> Sent: Tuesday, 16 December, 2014 5:51:37 PM<br>
> Subject: Re: [keycloak-user] HTML5/JS and download URL.<br>
><br>
> Hi,<br>
><br>
> Thank you for your answer. Sorry for my lake of knowledge in OAuth but<br>
> speaking about generating a temporary token to include in the link, what<br>
> kind of token do you mean and what is the best way to do that with Keycloak.<br>
<br>
We don't have any support for this at the moment so you would have to make it yourself. With regards to token all I mean is a something temporary that allows the server to verify the user has permissions to download the file.<br>
<br>
For example the token could be the base64 encoded signature (hmac, rsa or whatever you'd like) of userid, timestamp/expiration and file-url. That way the server can simply verify the signature on the server-side when the user is trying to download the file and check that it matches.<br>
<br>
><br>
> Best regards, Jérôme.<br>
><br>
> 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>>:<br>
> ><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Jérôme Blanchard" <<a href="mailto:jayblanc@gmail.com" target="_blank">jayblanc@gmail.com</a>><br>
> > > To: <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> > > Sent: Monday, 15 December, 2014 3:13:06 PM<br>
> > > Subject: [keycloak-user] HTML5/JS and download URL.<br>
> > ><br>
> > > Hi all,<br>
> > > We have a use case where an HTML5/Angular application is calling a REST<br>
> > > interface using keycloak for authentication SSO. Everything works fine<br>
> > until<br>
> > > we need to download files or preview images (using <img> tag). In both<br>
> > case,<br>
> > > this is the browser which perform the request on the REST url and,<br>
> > because<br>
> > > of a specific XHR authentication putting the bearer token in the<br>
> > headers, a<br>
> > > 'classic' browser request for downloading a file result in an<br>
> > > UNauthenticated request because of unexisting bearer token.<br>
> > ><br>
> > > We're minding if there is a best practice to handle this case. We plan to<br>
> > > include a dedicated token as a download request parameter and to check<br>
> > this<br>
> > > particular query paramter programmatically in the /download JAX-RS<br>
> > > operation. What kind of token should have to put in the query and is<br>
> > there<br>
> > > an already existing mechanism to catch such token in jax-rs server-side<br>
> > > operations nor programmatically ?<br>
> ><br>
> > We actually had the same issue in our admin console as we provide a<br>
> > download option for the application config. AFAIK there's two solutions:<br>
> ><br>
> > * Generate a temporary token - basically what you're suggesting. There's<br>
> > two ways you can do this, always generate one and add it to the link,<br>
> > second is to use a redirect that only generates the token on demand<br>
> > * Use XHR to get the file, which allows setting the Authorization header,<br>
> > then use JavaScript to download<br>
> ><br>
> > There's currently no direct support for this in Keycloak, but it would be<br>
> > interesting to add.<br>
> ><br>
> > ><br>
> > > Thanks a lot for your support and so good work, Best Regards, Jérôme.<br>
> > ><br>
> > > ______________________________<u></u><u></u>_________________<br>
> > > keycloak-user mailing list<br>
> > > <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<u></u>mailma<u></u>n/listinfo/keycloak-user</a><br>
> ><br>
><br>
</blockquote></div></blockquote></div></div>