<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">For at least opening the web socket, assuming the user has the cookie or bearer token already, it can go with the initial HTTP upgrade request. Browsers send cookies on the WebSocket connect, and I think you can add the bearer token if that’s how you’re flying.</div><div class=""><br class=""></div><div class="">Subsequent re-auth, as Bill said, should be up to the user and how he’s using the socket.</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>-Bob</div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 11, 2015, at 1:23 AM, Stian Thorgersen <<a href="mailto:stian@redhat.com" class="">stian@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">----- Original Message -----</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">From: "Bill Burke" <<a href="mailto:bburke@redhat.com" class="">bburke@redhat.com</a>><br class="">To: <a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class="">Sent: Monday, 10 August, 2015 4:10:36 PM<br class="">Subject: Re: [keycloak-user] WebSockets<br class=""><br class=""><br class=""><br class="">On 8/10/2015 9:48 AM, Juraci Paixão Kröhling wrote:<br class=""><blockquote type="cite" class="">On 08/10/2015 03:26 PM, Bill Burke wrote:<br class=""><blockquote type="cite" class="">Once the WeBSocket is established there is<br class="">actually no reason to resend the token as the connection/socket remains<br class="">open. HTTP requests are different. They need to retransmit the token<br class="">because HTTP is connectionless and assumes every request is a different<br class="">connection. For browser apps, logout can be handled in the regular way<br class="">with keycloak.js. Non-browser apps can just rely on non-browser means.<br class=""><br class="">All the server needs is a way to validate and unpack the token. Refresh<br class="">should be handled at the client side through keycloak.js or some other<br class="">oauth library. For bearer token auth, it is not the responsibility of<br class="">the server to manage the token.<br class=""></blockquote><br class="">Not sure I get it. Are you saying that my server endpoint should trust<br class="">that the client will close the connection once the token expires/is<br class="">invalidated?<br class=""><br class=""></blockquote><br class="">I didn't say that. You just don't have to retransmit the token every<br class="">request because in WebSockets the connection is already established.<br class=""><br class="">You are going to have to rely on the client to get a new token and<br class="">reconnect. Keycloak can't support every single pet protocol implemented<br class="">on top of WebSockets. We can only offer token validation on HTTP<br class="">Upgrade out-of-the-box plus an API to unpack and validate a token.<br class="">Anything more and you'll have to implement it yourself.<br class=""><br class="">IMO, abort with an error code, the client destroys the WebSocket,<br class="">refreshes the token via OAuth, and reestablishes the WebSocket. Its<br class="">the simplest way and we can provide support for it OOTB with Keycloak's<br class="">adapter lib. Otherwise you'll have to implement anything more complex<br class="">yourself.<br class=""></blockquote><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">I know there's no standard protocol, but I still think the token should be sent through the socket itself not as part of the url. I don't like sending it as the url for one, secondly having to drop and re-create the socket every time the token expires negates the purpose of web sockets somewhat.</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class=""><br class="">--<br class="">Bill Burke<br class="">JBoss, a division of Red Hat<br class=""><a href="http://bill.burkecentral.com/" class="">http://bill.burkecentral.com</a><br class="">_______________________________________________<br class="">keycloak-user mailing list<br class=""><a href="mailto:keycloak-user@lists.jboss.org" class="">keycloak-user@lists.jboss.org</a><br class=""><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br class=""><br class=""></blockquote><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">_______________________________________________</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><span style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; float: none; display: inline !important;" class="">keycloak-user mailing list</span><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:keycloak-user@lists.jboss.org" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">keycloak-user@lists.jboss.org</a><br style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" style="font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></div></blockquote></div><br class=""></body></html>