[keycloak-user] WebSockets

I'm currently looking into the best way to perform authentication for WebSockets, and it seems that the best (only?) option so far is to handle this on the socket's endpoint itself. But before I start with some library for the other Hawkular components to consume, I'd like to ask if there's a best practices/recommendations for doing WebSocket authentication with Keycloak. My plan right now is to require the endpoints to inject a service that would accept a message and session, closing the session on this service if the login data is not provided (login data == token, send on the first message, at least at first). Ideas/thoughts? - Juca.