11:07 a.m.
Hi all,
Is it possible to configure the servlet adapter to check presence of a
bearer token in a cookie instead of in a header ?
This question is about the download file usecase. If the bearer token will
be placed in a cookie by the javascript client at the same time settnig the
header, his will ensure that this cookie will be sent by the navigator in
the case of a download file or a <img> tag that would happen outside of a
XHR.
Thanks, Best Regards, Jérôme.
Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <jayblanc(a)gmail.com> a
écrit :
Hi Stian,
Thanks for your precisions, we have choose to implement the solution of a
time based password.
Using a ServletFilter and the Servlet 3.0 HttpRequest.login() feature
we're able to intercept token from query parameter and propagate it to the
JAAS stack. A dedicated LoginModule validate this token to enforce
principal in the EJB SecurityContext and, according to this, our custom
authorisation system is used ASIS without the need to create a hook in the
download operation.
This solution give the advantage to not interfer with the classic OAuth
authentication in case of using a XHR Header nor a RESTClient that
programmatically include the bearer token in the request header.
Thanks a lot for your support, Best Regards, Jérôme.
Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <stian(a)redhat.com> a
écrit :
>
> ----- Original Message -----
> > From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
> > To: "Stian Thorgersen" <stian(a)redhat.com>
> > Cc: keycloak-user(a)lists.jboss.org
> > Sent: Tuesday, 16 December, 2014 5:51:37 PM
> > Subject: Re: [keycloak-user] HTML5/JS and download URL.
> >
> > Hi,
> >
> > Thank you for your answer. Sorry for my lake of knowledge in OAuth but
> > speaking about generating a temporary token to include in the link, what
> > kind of token do you mean and what is the best way to do that with
> Keycloak.
>
> We don't have any support for this at the moment so you would have to
> make it yourself. With regards to token all I mean is a something temporary
> that allows the server to verify the user has permissions to download the
> file.
>
> For example the token could be the base64 encoded signature (hmac, rsa or
> whatever you'd like) of userid, timestamp/expiration and file-url. That way
> the server can simply verify the signature on the server-side when the user
> is trying to download the file and check that it matches.
>
> >
> > Best regards, Jérôme.
> >
> > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian(a)redhat.com>:
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
> > > > To: keycloak-user(a)lists.jboss.org
> > > > Sent: Monday, 15 December, 2014 3:13:06 PM
> > > > Subject: [keycloak-user] HTML5/JS and download URL.
> > > >
> > > > Hi all,
> > > > We have a use case where an HTML5/Angular application is calling a
> REST
> > > > interface using keycloak for authentication SSO. Everything works
> fine
> > > until
> > > > we need to download files or preview images (using <img> tag).
In
> both
> > > case,
> > > > this is the browser which perform the request on the REST url and,
> > > because
> > > > of a specific XHR authentication putting the bearer token in the
> > > headers, a
> > > > 'classic' browser request for downloading a file result in an
> > > > UNauthenticated request because of unexisting bearer token.
> > > >
> > > > We're minding if there is a best practice to handle this case. We
> plan to
> > > > include a dedicated token as a download request parameter and to
> check
> > > this
> > > > particular query paramter programmatically in the /download JAX-RS
> > > > operation. What kind of token should have to put in the query and is
> > > there
> > > > an already existing mechanism to catch such token in jax-rs
> server-side
> > > > operations nor programmatically ?
> > >
> > > We actually had the same issue in our admin console as we provide a
> > > download option for the application config. AFAIK there's two
> solutions:
> > >
> > > * Generate a temporary token - basically what you're suggesting.
> There's
> > > two ways you can do this, always generate one and add it to the link,
> > > second is to use a redirect that only generates the token on demand
> > > * Use XHR to get the file, which allows setting the Authorization
> header,
> > > then use JavaScript to download
> > >
> > > There's currently no direct support for this in Keycloak, but it
> would be
> > > interesting to add.
> > >
> > > >
> > > > Thanks a lot for your support and so good work, Best Regards,
> Jérôme.
> > > >
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
>