Re: [keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header

Hi, we have one use case where we want to use a access_token URL parameter rather than the Authorization: Bearer header, to allow SSO from a mobile app to Safari. KeycloakAuthenticationProcessingFilter.java (https://github.com/keycloak/ keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/ spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/ KeycloakAuthenticationProcessingFilter.java), the authentication flow is different when using the query param vs the Authorization header. Any reason for this? - Header: Upon successful authentication, the filter chain is processed to the requested page. - Query param: Upon successful authentication, default success handler is called and user is redirected to a target page (/ by default) (first condition of KeycloakAuthenticationProcessingFilter. successfulAuthentication(): if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(request))) { super.successfulAuthentication(request, response, chain, authResult); return; } Thanks, Gabriel -- Gabriel Lavoie glavoie(a)gmail.com