[keycloak-user] Undertow Bearer Token in Cookie
Bill Burke
bburke at redhat.com
Mon Dec 22 10:24:48 EST 2014
Servlet adapter already does this.
* 1.0.x Keycloak attaches the token to the Http Session.
* 1.1 Beta+ Keycloak adapter has an option to store the token in a
cookie instead of the HttpSession.
On 12/18/2014 12:07 PM, Jérôme Blanchard wrote:
> Hi all,
>
> Is it possible to configure the servlet adapter to check presence of a
> bearer token in a cookie instead of in a header ?
> This question is about the download file usecase. If the bearer token
> will be placed in a cookie by the javascript client at the same time
> settnig the header, his will ensure that this cookie will be sent by the
> navigator in the case of a download file or a <img> tag that would
> happen outside of a XHR.
>
> Thanks, Best Regards, Jérôme.
>
> Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <jayblanc at gmail.com
> <mailto:jayblanc at gmail.com>> a écrit :
>
> Hi Stian,
>
> Thanks for your precisions, we have choose to implement the solution
> of a time based password.
> Using a ServletFilter and the Servlet 3.0 HttpRequest.login()
> feature we're able to intercept token from query parameter and
> propagate it to the JAAS stack. A dedicated LoginModule validate
> this token to enforce principal in the EJB SecurityContext and,
> according to this, our custom authorisation system is used ASIS
> without the need to create a hook in the download operation.
> This solution give the advantage to not interfer with the classic
> OAuth authentication in case of using a XHR Header nor a RESTClient
> that programmatically include the bearer token in the request header.
>
> Thanks a lot for your support, Best Regards, Jérôme.
>
>
>
> Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>> a écrit :
>
>
>
> ----- Original Message -----
> > From: "Jérôme Blanchard" <jayblanc at gmail.com
> <mailto:jayblanc at gmail.com>>
> > To: "Stian Thorgersen" <stian at redhat.com
> <mailto:stian at redhat.com>>
> > Cc: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > Sent: Tuesday, 16 December, 2014 5:51:37 PM
> > Subject: Re: [keycloak-user] HTML5/JS and download URL.
> >
> > Hi,
> >
> > Thank you for your answer. Sorry for my lake of knowledge in
> OAuth but
> > speaking about generating a temporary token to include in the
> link, what
> > kind of token do you mean and what is the best way to do that
> with Keycloak.
>
> We don't have any support for this at the moment so you would
> have to make it yourself. With regards to token all I mean is a
> something temporary that allows the server to verify the user
> has permissions to download the file.
>
> For example the token could be the base64 encoded signature
> (hmac, rsa or whatever you'd like) of userid,
> timestamp/expiration and file-url. That way the server can
> simply verify the signature on the server-side when the user is
> trying to download the file and check that it matches.
>
> >
> > Best regards, Jérôme.
> >
> > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian at redhat.com
> <mailto:stian at redhat.com>>:
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Jérôme Blanchard" <jayblanc at gmail.com
> <mailto:jayblanc at gmail.com>>
> > > > To: keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > > > Sent: Monday, 15 December, 2014 3:13:06 PM
> > > > Subject: [keycloak-user] HTML5/JS and download URL.
> > > >
> > > > Hi all,
> > > > We have a use case where an HTML5/Angular application is
> calling a REST
> > > > interface using keycloak for authentication SSO.
> Everything works fine
> > > until
> > > > we need to download files or preview images (using <img>
> tag). In both
> > > case,
> > > > this is the browser which perform the request on the REST
> url and,
> > > because
> > > > of a specific XHR authentication putting the bearer token
> in the
> > > headers, a
> > > > 'classic' browser request for downloading a file result in an
> > > > UNauthenticated request because of unexisting bearer token.
> > > >
> > > > We're minding if there is a best practice to handle this
> case. We plan to
> > > > include a dedicated token as a download request parameter
> and to check
> > > this
> > > > particular query paramter programmatically in the
> /download JAX-RS
> > > > operation. What kind of token should have to put in the
> query and is
> > > there
> > > > an already existing mechanism to catch such token in
> jax-rs server-side
> > > > operations nor programmatically ?
> > >
> > > We actually had the same issue in our admin console as we
> provide a
> > > download option for the application config. AFAIK there's
> two solutions:
> > >
> > > * Generate a temporary token - basically what you're
> suggesting. There's
> > > two ways you can do this, always generate one and add it to
> the link,
> > > second is to use a redirect that only generates the token
> on demand
> > > * Use XHR to get the file, which allows setting the
> Authorization header,
> > > then use JavaScript to download
> > >
> > > There's currently no direct support for this in Keycloak,
> but it would be
> > > interesting to add.
> > >
> > > >
> > > > Thanks a lot for your support and so good work, Best
> Regards, Jérôme.
> > > >
> > > > ___________________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> > > >
> https://lists.jboss.org/__mailma__n/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> > >
> >
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list