Hello, I'm rewriting my Java app secured 'classically' using session-stored credentials to Keycloak. My app is AJAX client with REST channel implemented using JAX-RS, so I've picked up keycloak-jaxrs-oauth-client and JaxrsBearerTokenFilterImpl. However, I have one place which I can't (or I don't see the way to do this) secure using that way: those are URLs that produce binary resources, available as direct downloads ( window.open ) and images (within img tag). I can't instruct browser to add Authorization token in that place, however, the classical cookie approach would work. I can't find a way to use Cookies with given filter, but I ses that BearerTokenRequestAuthenticator is already made extensible (it has QueryParam implementation), however the JaxrsBearerTokenFilterImpl doesn't five a way to choose implementation. Are there any approaches for (optional) cookie based approach made? If the change was made to the bearerAuthentication method to replace BearerTokenRequestAuthenticator authenticator = new BearerTokenRequestAuthenticator(resolvedDeployment); With BearerTokenRequestAuthenticator authenticator = createBearerTokenRequestAuthenticator(resolvedDeployment); I could be free to change the implementation of that method in my custom class with the strategy of my choice (either pure cookie-based strategy, or use cookie only when no Authorization header is present. Is such change-request a reasonable approach, that could be accepted for the community code base? Best regards, Lukasz Lech