It looks it's possible to add query parameters in Javscript Websocket client. But ATM our adapter supports authenticating requests where the token is sent only in "Authorization: Bearer" header. Maybe adding support for authentication tokens from query parameter is something we can support for adapters though (if someone has valid usecase for it)

Marek

On 5.8.2015 10:47, Marek Posolda wrote:
There is also another example https://github.com/secondsun/wildfly-secured-websocket , where client is javascript application . It's based on web.xml security and the client and server are both in same web application. Unfortunately I don't know if it can work if client and server are in different applications, as it seems that there is no way for add additional HTTP headers on client in javascript websockets API (at least according to http://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api ). So adding "Authorization: Bearer" looks like a challenge here.

Marek

On 5.8.2015 09:54, pslegr wrote:
Hello Juraci,

maybe other Keycloak core devs might have having other recommendations,
never-less I've put up an example for our project
https://github.com/pslegr/pnc/commit/873e875d657215890b9b9aafe93b2138ae946ec5
which uses Keycloak to secure the WS endpoint.
The point is to intercept the initial HttpRequest and add an AuthorizationHeader
into this one.

...
        List<String> authHeader = new ArrayList<String>();
        authHeader.add("Bearer " + authenticate());
        headers.put("Authorization", authHeader);

...
This is done before protocol upgrade into WS/WSS.

I don't see any other way doing this so far....

regards
Pavel

On 4.8.2015 16:44, Juraci Paixão Kröhling wrote:
I'm currently looking into the best way to perform authentication for 
WebSockets, and it seems that the best (only?) option so far is to 
handle this on the socket's endpoint itself.

But before I start with some library for the other Hawkular components 
to consume, I'd like to ask if there's a best practices/recommendations 
for doing WebSocket authentication with Keycloak.

My plan right now is to require the endpoints to inject a service that 
would accept a message and session, closing the session on this service 
if the login data is not provided (login data == token, send on the 
first message, at least at first).

Ideas/thoughts?

- Juca.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user




_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user