Hi all, 

Is it possible to configure the servlet adapter to check presence of a bearer token in a cookie instead of in a header ?
This question is about the download file usecase. If the bearer token will be placed in a cookie by the javascript client at the same time settnig the header, his will ensure that this cookie will be sent by the navigator in the case of a download file or a <img> tag that would happen outside of a XHR.

Thanks, Best Regards, Jérôme.

Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <jayblanc@gmail.com> a écrit :
Hi Stian,

Thanks for your precisions, we have choose to implement the solution of a time based password. 
Using a ServletFilter and the Servlet 3.0 HttpRequest.login() feature we're able to intercept token from query parameter and propagate it to the JAAS stack. A dedicated LoginModule validate this token to enforce principal in the EJB SecurityContext and, according to this, our custom authorisation system is used ASIS without the need to create a hook in the download operation. 
This solution give the advantage to not interfer with the classic OAuth authentication in case of using a XHR Header nor a RESTClient that programmatically include the bearer token in the request header.

Thanks a lot for your support, Best Regards, Jérôme.



Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <stian@redhat.com> a écrit :



----- Original Message -----
> From: "Jérôme Blanchard" <jayblanc@gmail.com>
> To: "Stian Thorgersen" <stian@redhat.com>
> Cc: keycloak-user@lists.jboss.org
> Sent: Tuesday, 16 December, 2014 5:51:37 PM
> Subject: Re: [keycloak-user] HTML5/JS and download URL.
>
> Hi,
>
> Thank you for your answer. Sorry for my lake of knowledge in OAuth but
> speaking about generating a temporary token to include in the link, what
> kind of token do you mean and what is the best way to do that with Keycloak.

We don't have any support for this at the moment so you would have to make it yourself. With regards to token all I mean is a something temporary that allows the server to verify the user has permissions to download the file.

For example the token could be the base64 encoded signature (hmac, rsa or whatever you'd like) of userid, timestamp/expiration and file-url. That way the server can simply verify the signature on the server-side when the user is trying to download the file and check that it matches.

>
> Best regards, Jérôme.
>
> 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian@redhat.com>:
> >
> >
> >
> > ----- Original Message -----
> > > From: "Jérôme Blanchard" <jayblanc@gmail.com>
> > > To: keycloak-user@lists.jboss.org
> > > Sent: Monday, 15 December, 2014 3:13:06 PM
> > > Subject: [keycloak-user] HTML5/JS and download URL.
> > >
> > > Hi all,
> > > We have a use case where an HTML5/Angular application is calling a REST
> > > interface using keycloak for authentication SSO. Everything works fine
> > until
> > > we need to download files or preview images (using <img> tag). In both
> > case,
> > > this is the browser which perform the request on the REST url and,
> > because
> > > of a specific XHR authentication putting the bearer token in the
> > headers, a
> > > 'classic' browser request for downloading a file result in an
> > > UNauthenticated request because of unexisting bearer token.
> > >
> > > We're minding if there is a best practice to handle this case. We plan to
> > > include a dedicated token as a download request parameter and to check
> > this
> > > particular query paramter programmatically in the /download JAX-RS
> > > operation. What kind of token should have to put in the query and is
> > there
> > > an already existing mechanism to catch such token in jax-rs server-side
> > > operations nor programmatically ?
> >
> > We actually had the same issue in our admin console as we provide a
> > download option for the application config. AFAIK there's two solutions:
> >
> > * Generate a temporary token - basically what you're suggesting. There's
> > two ways you can do this, always generate one and add it to the link,
> > second is to use a redirect that only generates the token on demand
> > * Use XHR to get the file, which allows setting the Authorization header,
> > then use JavaScript to download
> >
> > There's currently no direct support for this in Keycloak, but it would be
> > interesting to add.
> >
> > >
> > > Thanks a lot for your support and so good work, Best Regards, Jérôme.
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user@lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>