The JS adapter doesn't support this. You could drop using the JS adapter, instead use
the WildFly/EAP adapter to secure the html files. As long as you're serving the html
files and rest endpoints from the same WAR that'll work with the cookie approach.
----- Original Message -----
From: "Jérôme Blanchard" <jayblanc(a)gmail.com>
To: "Bill Burke" <bburke(a)redhat.com>, keycloak-user(a)lists.jboss.org
Sent: Tuesday, 23 December, 2014 10:03:11 AM
Subject: Re: [keycloak-user] Undertow Bearer Token in Cookie
Hi, by mentionning the servlet adapter, you mean the WAR configured using
web.xml (server side) ? or the client servlet adapter ?
In our configuration we have a REST API prtoected using the WAR wildfly
adapter (ensuring EJB auth propagation) and a JS client.
I tried using the configuration of cookie token store (
"token-store": "cookie"
) in the wildfly adapter (server side) but no cookie is set in my HTML5/JS
client and it seem no cookie is catched by the wildfly adapter...
Did I missed something ?
Best regards, Jérôme.
Le Mon Dec 22 2014 at 16:24:58, Bill Burke < bburke(a)redhat.com > a écrit :
Servlet adapter already does this.
* 1.0.x Keycloak attaches the token to the Http Session.
* 1.1 Beta+ Keycloak adapter has an option to store the token in a
cookie instead of the HttpSession.
On 12/18/2014 12:07 PM, Jérôme Blanchard wrote:
> Hi all,
>
> Is it possible to configure the servlet adapter to check presence of a
> bearer token in a cookie instead of in a header ?
> This question is about the download file usecase. If the bearer token
> will be placed in a cookie by the javascript client at the same time
> settnig the header, his will ensure that this cookie will be sent by the
> navigator in the case of a download file or a <img> tag that would
> happen outside of a XHR.
>
> Thanks, Best Regards, Jérôme.
>
> Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard < jayblanc(a)gmail.com
> <mailto: jayblanc(a)gmail.com >> a écrit :
>
> Hi Stian,
>
> Thanks for your precisions, we have choose to implement the solution
> of a time based password.
> Using a ServletFilter and the Servlet 3.0 HttpRequest.login()
> feature we're able to intercept token from query parameter and
> propagate it to the JAAS stack. A dedicated LoginModule validate
> this token to enforce principal in the EJB SecurityContext and,
> according to this, our custom authorisation system is used ASIS
> without the need to create a hook in the download operation.
> This solution give the advantage to not interfer with the classic
> OAuth authentication in case of using a XHR Header nor a RESTClient
> that programmatically include the bearer token in the request header.
>
> Thanks a lot for your support, Best Regards, Jérôme.
>
>
>
> Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen < stian(a)redhat.com
> <mailto: stian(a)redhat.com >> a écrit :
>
>
>
> ----- Original Message -----
> > From: "Jérôme Blanchard" < jayblanc(a)gmail.com
> <mailto: jayblanc(a)gmail.com >>
> > To: "Stian Thorgersen" < stian(a)redhat.com
> <mailto: stian(a)redhat.com >>
> > Cc: keycloak-user(a)lists.jboss.org
> <mailto: keycloak-user@lists. j
boss.org >
> > Sent: Tuesday, 16 December, 2014 5:51:37 PM
> > Subject: Re: [keycloak-user] HTML5/JS and download URL.
> >
> > Hi,
> >
> > Thank you for your answer. Sorry for my lake of knowledge in
> OAuth but
> > speaking about generating a temporary token to include in the
> link, what
> > kind of token do you mean and what is the best way to do that
> with Keycloak.
>
> We don't have any support for this at the moment so you would
> have to make it yourself. With regards to token all I mean is a
> something temporary that allows the server to verify the user
> has permissions to download the file.
>
> For example the token could be the base64 encoded signature
> (hmac, rsa or whatever you'd like) of userid,
> timestamp/expiration and file-url. That way the server can
> simply verify the signature on the server-side when the user is
> trying to download the file and check that it matches.
>
> >
> > Best regards, Jérôme.
> >
> > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen < stian(a)redhat.com
> <mailto: stian(a)redhat.com >>:
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Jérôme Blanchard" < jayblanc(a)gmail.com
> <mailto: jayblanc(a)gmail.com >>
> > > > To: keycloak-user(a)lists.jboss.org
> <mailto: keycloak-user@lists. j
boss.org >
> > > > Sent: Monday, 15 December, 2014 3:13:06 PM
> > > > Subject: [keycloak-user] HTML5/JS and download URL.
> > > >
> > > > Hi all,
> > > > We have a use case where an HTML5/Angular application is
> calling a REST
> > > > interface using keycloak for authentication SSO.
> Everything works fine
> > > until
> > > > we need to download files or preview images (using <img>
> tag). In both
> > > case,
> > > > this is the browser which perform the request on the REST
> url and,
> > > because
> > > > of a specific XHR authentication putting the bearer token
> in the
> > > headers, a
> > > > 'classic' browser request for downloading a file result in
an
> > > > UNauthenticated request because of unexisting bearer token.
> > > >
> > > > We're minding if there is a best practice to handle this
> case. We plan to
> > > > include a dedicated token as a download request parameter
> and to check
> > > this
> > > > particular query paramter programmatically in the
> /download JAX-RS
> > > > operation. What kind of token should have to put in the
> query and is
> > > there
> > > > an already existing mechanism to catch such token in
> jax-rs server-side
> > > > operations nor programmatically ?
> > >
> > > We actually had the same issue in our admin console as we
> provide a
> > > download option for the application config. AFAIK there's
> two solutions:
> > >
> > > * Generate a temporary token - basically what you're
> suggesting. There's
> > > two ways you can do this, always generate one and add it to
> the link,
> > > second is to use a redirect that only generates the token
> on demand
> > > * Use XHR to get the file, which allows setting the
> Authorization header,
> > > then use JavaScript to download
> > >
> > > There's currently no direct support for this in Keycloak,
> but it would be
> > > interesting to add.
> > >
> > > >
> > > > Thanks a lot for your support and so good work, Best
> Regards, Jérôme.
> > > >
> > > > ______________________________ _____________________
> > > > keycloak-user mailing list
> > > > keycloak-user(a)lists.jboss.org
> <mailto: keycloak-user@lists. j
boss.org >
> > > >
>
https://lists.jboss.org/__ mai lma__n/listinfo/keycloak- user
> <
https://lists.jboss.org/ mail man/listinfo/keycloak-user >
> > >
> >
>
>
>
> ______________________________ _________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/ mailma n/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
______________________________ _________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/ mailma n/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user