[keycloak-dev] Cookie support for Jax-RS filter

[Lukasz Lech]

Hello,

I'm rewriting my Java app secured 'classically' using session-stored credentials to Keycloak.  My app is AJAX client with REST channel implemented using JAX-RS, so I've picked up keycloak-jaxrs-oauth-client and  JaxrsBearerTokenFilterImpl. However, I have one place which I can't (or I don't see the way to do this) secure using that way: those are URLs that produce binary resources, available as direct downloads ( window.open ) and images (within img tag). I can't instruct browser to add Authorization token in that place, however, the classical cookie approach would work.

I can't find a way to use Cookies with given filter, but I ses that BearerTokenRequestAuthenticator is already made extensible (it has QueryParam implementation), however the JaxrsBearerTokenFilterImpl doesn't five a way to choose implementation.

Are there  any approaches for  (optional) cookie based approach made?

If the change was made to the bearerAuthentication method to replace
    BearerTokenRequestAuthenticator authenticator = new BearerTokenRequestAuthenticator(resolvedDeployment);
With
    BearerTokenRequestAuthenticator authenticator = createBearerTokenRequestAuthenticator(resolvedDeployment);
I could be free to change the implementation of that method in  my custom class with the strategy of my choice (either pure cookie-based strategy, or use cookie only when no Authorization header is present.

Is such change-request a reasonable approach, that could be accepted for the community code base?

Best regards,
Lukasz Lech