[keycloak-dev] Websocket, CORS, Keycloak

[Bill Burke]

Looks like you cannot specify additional headers when creating a 
WebSocket connection:

http://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api

I can't find yet if cookies are supposed to be sent with the initial 
HTTP Upgrade request.  I think they should be sent by the browser. 
Another option is to include the token within the URL, but this is a 
security hole:  Access logs store urls, and you won't want to transmit 
tokens over insecure ws: connections.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com