[keycloak-user] Undertow Bearer Token in Cookie

Bill Burke bburke at redhat.com
Mon Dec 22 10:24:48 EST 2014


Servlet adapter already does this.

* 1.0.x Keycloak attaches the token to the Http Session.
* 1.1 Beta+ Keycloak adapter has an option to store the token in a 
cookie instead of the HttpSession.

On 12/18/2014 12:07 PM, Jérôme Blanchard wrote:
> Hi all,
>
> Is it possible to configure the servlet adapter to check presence of a
> bearer token in a cookie instead of in a header ?
> This question is about the download file usecase. If the bearer token
> will be placed in a cookie by the javascript client at the same time
> settnig the header, his will ensure that this cookie will be sent by the
> navigator in the case of a download file or a <img> tag that would
> happen outside of a XHR.
>
> Thanks, Best Regards, Jérôme.
>
> Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard <jayblanc at gmail.com
> <mailto:jayblanc at gmail.com>> a écrit :
>
>     Hi Stian,
>
>     Thanks for your precisions, we have choose to implement the solution
>     of a time based password.
>     Using a ServletFilter and the Servlet 3.0 HttpRequest.login()
>     feature we're able to intercept token from query parameter and
>     propagate it to the JAAS stack. A dedicated LoginModule validate
>     this token to enforce principal in the EJB SecurityContext and,
>     according to this, our custom authorisation system is used ASIS
>     without the need to create a hook in the download operation.
>     This solution give the advantage to not interfer with the classic
>     OAuth authentication in case of using a XHR Header nor a RESTClient
>     that programmatically include the bearer token in the request header.
>
>     Thanks a lot for your support, Best Regards, Jérôme.
>
>
>
>     Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen <stian at redhat.com
>     <mailto:stian at redhat.com>> a écrit :
>
>
>
>         ----- Original Message -----
>          > From: "Jérôme Blanchard" <jayblanc at gmail.com
>         <mailto:jayblanc at gmail.com>>
>          > To: "Stian Thorgersen" <stian at redhat.com
>         <mailto:stian at redhat.com>>
>          > Cc: keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>          > Sent: Tuesday, 16 December, 2014 5:51:37 PM
>          > Subject: Re: [keycloak-user] HTML5/JS and download URL.
>          >
>          > Hi,
>          >
>          > Thank you for your answer. Sorry for my lake of knowledge in
>         OAuth but
>          > speaking about generating a temporary token to include in the
>         link, what
>          > kind of token do you mean and what is the best way to do that
>         with Keycloak.
>
>         We don't have any support for this at the moment so you would
>         have to make it yourself. With regards to token all I mean is a
>         something temporary that allows the server to verify the user
>         has permissions to download the file.
>
>         For example the token could be the base64 encoded signature
>         (hmac, rsa or whatever you'd like) of userid,
>         timestamp/expiration and file-url. That way the server can
>         simply verify the signature on the server-side when the user is
>         trying to download the file and check that it matches.
>
>          >
>          > Best regards, Jérôme.
>          >
>          > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen <stian at redhat.com
>         <mailto:stian at redhat.com>>:
>          > >
>          > >
>          > >
>          > > ----- Original Message -----
>          > > > From: "Jérôme Blanchard" <jayblanc at gmail.com
>         <mailto:jayblanc at gmail.com>>
>          > > > To: keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>          > > > Sent: Monday, 15 December, 2014 3:13:06 PM
>          > > > Subject: [keycloak-user] HTML5/JS and download URL.
>          > > >
>          > > > Hi all,
>          > > > We have a use case where an HTML5/Angular application is
>         calling a REST
>          > > > interface using keycloak for authentication SSO.
>         Everything works fine
>          > > until
>          > > > we need to download files or preview images (using <img>
>         tag). In both
>          > > case,
>          > > > this is the browser which perform the request on the REST
>         url and,
>          > > because
>          > > > of a specific XHR authentication putting the bearer token
>         in the
>          > > headers, a
>          > > > 'classic' browser request for downloading a file result in an
>          > > > UNauthenticated request because of unexisting bearer token.
>          > > >
>          > > > We're minding if there is a best practice to handle this
>         case. We plan to
>          > > > include a dedicated token as a download request parameter
>         and to check
>          > > this
>          > > > particular query paramter programmatically in the
>         /download JAX-RS
>          > > > operation. What kind of token should have to put in the
>         query and is
>          > > there
>          > > > an already existing mechanism to catch such token in
>         jax-rs server-side
>          > > > operations nor programmatically ?
>          > >
>          > > We actually had the same issue in our admin console as we
>         provide a
>          > > download option for the application config. AFAIK there's
>         two solutions:
>          > >
>          > > * Generate a temporary token - basically what you're
>         suggesting. There's
>          > > two ways you can do this, always generate one and add it to
>         the link,
>          > > second is to use a redirect that only generates the token
>         on demand
>          > > * Use XHR to get the file, which allows setting the
>         Authorization header,
>          > > then use JavaScript to download
>          > >
>          > > There's currently no direct support for this in Keycloak,
>         but it would be
>          > > interesting to add.
>          > >
>          > > >
>          > > > Thanks a lot for your support and so good work, Best
>         Regards, Jérôme.
>          > > >
>          > > > ___________________________________________________
>          > > > keycloak-user mailing list
>          > > > keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>          > > >
>         https://lists.jboss.org/__mailma__n/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>          > >
>          >
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list