[keycloak-dev] WebSocket integration

Bill Burke bburke at redhat.com
Fri Jan 16 14:26:38 EST 2015 

It doesn't look like you can send any header with the HTTP Upgrade 
request done by the browser.  It could be done by sending the token with 
the WebSocket connect url as a query param.  This would have to be a 
one-off highly constrained token though.

On 1/16/2015 12:26 PM, Pedro Igor Silva wrote:
> Some time ago Shane and I were investigating WebSocket security using PicketLink [1] and JEE. Specially when using CDI [2].
>
> Some references:
>
> [1] https://issues.jboss.org/browse/PLINK-628
> [2] https://issues.jboss.org/browse/CDI-370
>
> ----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, January 16, 2015 2:42:13 PM
> Subject: Re: [keycloak-dev] WebSocket integration
>
> Single page app would work with cookie and server side adapter.  I don't
> know how it would work with javascript.  You'd have to send the token
> with the HTTP Upgrade request.
>
> On 1/16/2015 11:31 AM, Juraci Paixão Kröhling wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> All,
>>
>> I'm investigating the possibility of protecting a WebSocket endpoint
>> with Keycloak and I found out that it works out of the box with
>> cookie-based authentication, meaning, the web page that opens the web
>> socket client should itself be protected, so that the cookie is sent
>> on the WebSocket request and authentication is made (confidential).
>>
>> In my target scenario, however, the web page is a single-page app
>> (public) talking with a backend (bearer-only) in another host.
>>
>> So, I'd like to know if there's anything planned on the WebSockets
>> front for such scenario. For instance, a JavaScript utility that
>> handles the setup of the socket (either with a custom protocol, or an
>> initial message with the bearer token, or another alternative) and a
>> server counterpart for this.
>>
>> If there isn't yet, I'll probably have some time to explore this.
>>
>> - - Juca.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>>
>> iQEcBAEBAgAGBQJUuTzdAAoJEDnJtskdmzLMgSIH/2eGoZSzUcsXL2zs7tyLEAIL
>> LTHBOY0vlr3KDRIWMcab8ijIAKt5u+JQnb4fJlEEXW1C8+QKNSDJYsfj/HcGnDcg
>> TM2kzhy4HS9O8CnlRqKEm6FlRKfgV3R/64huFXCRXmIdkxiKGgMQvmhWmlrDFHVy
>> ZRtaNk3e433LkD4/fYdWIobjdtxZTv4xAglWAgXCAVdXJCy8Sp+yiopU7LNMqb75
>> mgWk89h8U5nl/J9HuAd8+oZH9qg35lwI1LZOPRRwpyl4td4x1tDR2lQc1SJmS47g
>> N2ES3jTtGHWMDEfsxDyLIQ6TmC1+r1Yoid51jILqaxlYGWgH/eRtnwny0Qczj+w=
>> =x0ZO
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list