[keycloak-user] HTML5/JS and download URL.
Stian Thorgersen
stian at redhat.com
Mon Dec 15 10:49:12 EST 2014
----- Original Message -----
> From: "Jérôme Blanchard" <jayblanc at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 15 December, 2014 3:13:06 PM
> Subject: [keycloak-user] HTML5/JS and download URL.
>
> Hi all,
> We have a use case where an HTML5/Angular application is calling a REST
> interface using keycloak for authentication SSO. Everything works fine until
> we need to download files or preview images (using <img> tag). In both case,
> this is the browser which perform the request on the REST url and, because
> of a specific XHR authentication putting the bearer token in the headers, a
> 'classic' browser request for downloading a file result in an
> UNauthenticated request because of unexisting bearer token.
>
> We're minding if there is a best practice to handle this case. We plan to
> include a dedicated token as a download request parameter and to check this
> particular query paramter programmatically in the /download JAX-RS
> operation. What kind of token should have to put in the query and is there
> an already existing mechanism to catch such token in jax-rs server-side
> operations nor programmatically ?
We actually had the same issue in our admin console as we provide a download option for the application config. AFAIK there's two solutions:
* Generate a temporary token - basically what you're suggesting. There's two ways you can do this, always generate one and add it to the link, second is to use a redirect that only generates the token on demand
* Use XHR to get the file, which allows setting the Authorization header, then use JavaScript to download
There's currently no direct support for this in Keycloak, but it would be interesting to add.
>
> Thanks a lot for your support and so good work, Best Regards, Jérôme.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list