Re: [keycloak-user] WebSockets
On 8/5/2015 9:04 AM, Juraci Paixão Kröhling wrote:
On 08/05/2015 01:52 PM, Marek Posolda wrote:
> Doing at the beginning of the connection might be easy. We may just need
> to add support to adapters for authentication via bearer token sent in
> URL query parameter or in the POST body. There is also specs for it
> http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param
The main problem with this is that a token might be valid at the time
the connection is made, but might not be valid after some time, while
the socket is still opened. So, a socket that was opened with a session
that just expired would still be open.
Perhaps undertow provides something that would allow the adapter to
close sockets whose tokens are not valid anymore?
In most cases, a logout can be covered in a browser app that uses
keycloak.js. When the browser app detects a logout it just closes all
websocket connections.
Keycloak is not going to secure each individual websocket request as
this communication is all proprietary. Its up to you guys to transmit
and validate the token in your own protocol. Keycloak can only transmit
and validate the token on the initial connect, as that is standardized.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com