Re: [keycloak-user] HTML5/JS and download URL.
----- Original Message -----
From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 15 December, 2014 3:13:06 PM
Subject: [keycloak-user] HTML5/JS and download URL.
Hi all,
We have a use case where an HTML5/Angular application is calling a REST
interface using keycloak for authentication SSO. Everything works fine until
we need to download files or preview images (using <img> tag). In both case,
this is the browser which perform the request on the REST url and, because
of a specific XHR authentication putting the bearer token in the headers, a
'classic' browser request for downloading a file result in an
UNauthenticated request because of unexisting bearer token.
We're minding if there is a best practice to handle this case. We plan to
include a dedicated token as a download request parameter and to check this
particular query paramter programmatically in the /download JAX-RS
operation. What kind of token should have to put in the query and is there
an already existing mechanism to catch such token in jax-rs server-side
operations nor programmatically ?
We actually had the same issue in our admin console as we provide a download option for
the application config. AFAIK there's two solutions:
* Generate a temporary token - basically what you're suggesting. There's two ways
you can do this, always generate one and add it to the link, second is to use a redirect
that only generates the token on demand
* Use XHR to get the file, which allows setting the Authorization header, then use
JavaScript to download
There's currently no direct support for this in Keycloak, but it would be interesting
to add.
Thanks a lot for your support and so good work, Best Regards, Jérôme.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user