8:13 a.m.
Hi all,
We have a use case where an HTML5/Angular application is calling a REST
interface using keycloak for authentication SSO. Everything works fine
until we need to download files or preview images (using <img> tag). In
both case, this is the browser which perform the request on the REST url
and, because of a specific XHR authentication putting the bearer token in
the headers, a 'classic' browser request for downloading a file result in
an UNauthenticated request because of unexisting bearer token.
We're minding if there is a best practice to handle this case. We plan to
include a dedicated token as a download request parameter and to check this
particular query paramter programmatically in the /download JAX-RS
operation. What kind of token should have to put in the query and is there
an already existing mechanism to catch such token in jax-rs server-side
operations nor programmatically ?
Thanks a lot for your support and so good work, Best Regards, Jérôme.
9:49 a.m.
----- Original Message -----
From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
To: keycloak-user(a)lists.jboss.org
Sent: Monday, 15 December, 2014 3:13:06 PM
Subject: [keycloak-user] HTML5/JS and download URL.
Hi all,
We have a use case where an HTML5/Angular application is calling a REST
interface using keycloak for authentication SSO. Everything works fine until
we need to download files or preview images (using <img> tag). In both case,
this is the browser which perform the request on the REST url and, because
of a specific XHR authentication putting the bearer token in the headers, a
'classic' browser request for downloading a file result in an
UNauthenticated request because of unexisting bearer token.
We're minding if there is a best practice to handle this case. We plan to
include a dedicated token as a download request parameter and to check this
particular query paramter programmatically in the /download JAX-RS
operation. What kind of token should have to put in the query and is there
an already existing mechanism to catch such token in jax-rs server-side
operations nor programmatically ?
We actually had the same issue in our admin console as we provide a download option for
the application config. AFAIK there's two solutions:
* Generate a temporary token - basically what you're suggesting. There's two ways
you can do this, always generate one and add it to the link, second is to use a redirect
that only generates the token on demand
* Use XHR to get the file, which allows setting the Authorization header, then use
JavaScript to download
There's currently no direct support for this in Keycloak, but it would be interesting
to add.
Thanks a lot for your support and so good work, Best Regards, Jérôme.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:51 a.m.
Hi,
Thank you for your answer. Sorry for my lake of knowledge in OAuth but
speaking about generating a temporary token to include in the link, what
kind of token do you mean and what is the best way to do that with Keycloak.
Best regards, Jérôme.
2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian(a)redhat.com>:
----- Original Message -----
> From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Monday, 15 December, 2014 3:13:06 PM
> Subject: [keycloak-user] HTML5/JS and download URL.
>
> Hi all,
> We have a use case where an HTML5/Angular application is calling a REST
> interface using keycloak for authentication SSO. Everything works fine
until
> we need to download files or preview images (using <img> tag). In both
case,
> this is the browser which perform the request on the REST url and,
because
> of a specific XHR authentication putting the bearer token in the
headers, a
> 'classic' browser request for downloading a file result in an
> UNauthenticated request because of unexisting bearer token.
>
> We're minding if there is a best practice to handle this case. We plan to
> include a dedicated token as a download request parameter and to check
this
> particular query paramter programmatically in the /download JAX-RS
> operation. What kind of token should have to put in the query and is
there
> an already existing mechanism to catch such token in jax-rs server-side
> operations nor programmatically ?
We actually had the same issue in our admin console as we provide a
download option for the application config. AFAIK there's two solutions:
* Generate a temporary token - basically what you're suggesting. There's
two ways you can do this, always generate one and add it to the link,
second is to use a redirect that only generates the token on demand
* Use XHR to get the file, which allows setting the Authorization header,
then use JavaScript to download
There's currently no direct support for this in Keycloak, but it would be
interesting to add.
>
> Thanks a lot for your support and so good work, Best Regards, Jérôme.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2:05 a.m.
----- Original Message -----
From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-user(a)lists.jboss.org
Sent: Tuesday, 16 December, 2014 5:51:37 PM
Subject: Re: [keycloak-user] HTML5/JS and download URL.
Hi,
Thank you for your answer. Sorry for my lake of knowledge in OAuth but
speaking about generating a temporary token to include in the link, what
kind of token do you mean and what is the best way to do that with Keycloak.
We don't have any support for this at the moment so you would have to make it
yourself. With regards to token all I mean is a something temporary that allows the server
to verify the user has permissions to download the file.
For example the token could be the base64 encoded signature (hmac, rsa or whatever
you'd like) of userid, timestamp/expiration and file-url. That way the server can
simply verify the signature on the server-side when the user is trying to download the
file and check that it matches.
Best regards, Jérôme.
2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian(a)redhat.com>:
>
>
>
> ----- Original Message -----
> > From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Monday, 15 December, 2014 3:13:06 PM
> > Subject: [keycloak-user] HTML5/JS and download URL.
> >
> > Hi all,
> > We have a use case where an HTML5/Angular application is calling a REST
> > interface using keycloak for authentication SSO. Everything works fine
> until
> > we need to download files or preview images (using <img> tag). In both
> case,
> > this is the browser which perform the request on the REST url and,
> because
> > of a specific XHR authentication putting the bearer token in the
> headers, a
> > 'classic' browser request for downloading a file result in an
> > UNauthenticated request because of unexisting bearer token.
> >
> > We're minding if there is a best practice to handle this case. We plan to
> > include a dedicated token as a download request parameter and to check
> this
> > particular query paramter programmatically in the /download JAX-RS
> > operation. What kind of token should have to put in the query and is
> there
> > an already existing mechanism to catch such token in jax-rs server-side
> > operations nor programmatically ?
>
> We actually had the same issue in our admin console as we provide a
> download option for the application config. AFAIK there's two solutions:
>
> * Generate a temporary token - basically what you're suggesting. There's
> two ways you can do this, always generate one and add it to the link,
> second is to use a redirect that only generates the token on demand
> * Use XHR to get the file, which allows setting the Authorization header,
> then use JavaScript to download
>
> There's currently no direct support for this in Keycloak, but it would be
> interesting to add.
>
> >
> > Thanks a lot for your support and so good work, Best Regards, Jérôme.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3681
days inactive
3683
days old
3 comments
2 participants
participants (2)
-
Jérôme Blanchard -
Stian Thorgersen