Re: [keycloak-user] WebSockets
----- Original Message -----
From: "Juraci Paixão Kröhling" <juraci(a)kroehling.de>
To: "Marek Posolda" <mposolda(a)redhat.com>, "pslegr"
<pslegr(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Wednesday, 5 August, 2015 4:20:32 PM
Subject: Re: [keycloak-user] WebSockets
On 08/05/2015 03:39 PM, Marek Posolda wrote:
> Maybe it's
> possible the server will poll the client socket and ask for updated
> token from the client periodically. I am not sure about the possible and
> best option TBH (not have deep websocket knowledge)
It is possible, but that goes into the "invasive" approach, as it can be
done only with a message going from the server to the client. Doing this
at the Keycloak level means that the application has to know how to
handle (or discard) Keycloak-specific messages.
Honestly, the more I think about it, the more I realize that the best
solution would be to get an API from Keycloak that would allow me to
validate tokens and extract a principal from it, like what the Request
Authenticators do. Even better if this API could call me back from time
to time, so that my server part could ask the client part for a renewed
token. My client could then send this token in the next payload (not
necessarily a payload *only* with the token).
+1
I'm less convinced about including token in URI due to security issues + access tokens
are short lived. The better option is to send the access token as a message after the
socket is open. If the token is expired the server should return with an appropriate error
message so the client knows it needs to refresh the access token and resend to the server.
We'd need to support this for multiple languages though :/
- Juca.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user