[keycloak-user] Undertow Bearer Token in Cookie

Stian Thorgersen stian at redhat.com
Mon Dec 29 02:38:38 EST 2014


The JS adapter doesn't support this. You could drop using the JS adapter, instead use the WildFly/EAP adapter to secure the html files. As long as you're serving the html files and rest endpoints from the same WAR that'll work with the cookie approach.

----- Original Message -----
> From: "Jérôme Blanchard" <jayblanc at gmail.com>
> To: "Bill Burke" <bburke at redhat.com>, keycloak-user at lists.jboss.org
> Sent: Tuesday, 23 December, 2014 10:03:11 AM
> Subject: Re: [keycloak-user] Undertow Bearer Token in Cookie
> 
> Hi, by mentionning the servlet adapter, you mean the WAR configured using
> web.xml (server side) ? or the client servlet adapter ?
> 
> In our configuration we have a REST API prtoected using the WAR wildfly
> adapter (ensuring EJB auth propagation) and a JS client.
> 
> I tried using the configuration of cookie token store (
> "token-store": "cookie"
> ) in the wildfly adapter (server side) but no cookie is set in my HTML5/JS
> client and it seem no cookie is catched by the wildfly adapter...
> Did I missed something ?
> 
> Best regards, Jérôme.
> 
> Le Mon Dec 22 2014 at 16:24:58, Bill Burke < bburke at redhat.com > a écrit :
> 
> 
> 
> Servlet adapter already does this.
> 
> * 1.0.x Keycloak attaches the token to the Http Session.
> * 1.1 Beta+ Keycloak adapter has an option to store the token in a
> cookie instead of the HttpSession.
> 
> On 12/18/2014 12:07 PM, Jérôme Blanchard wrote:
> > Hi all,
> > 
> > Is it possible to configure the servlet adapter to check presence of a
> > bearer token in a cookie instead of in a header ?
> > This question is about the download file usecase. If the bearer token
> > will be placed in a cookie by the javascript client at the same time
> > settnig the header, his will ensure that this cookie will be sent by the
> > navigator in the case of a download file or a <img> tag that would
> > happen outside of a XHR.
> > 
> > Thanks, Best Regards, Jérôme.
> > 
> > Le Wed Dec 17 2014 at 18:12:35, Jérôme Blanchard < jayblanc at gmail.com
> > <mailto: jayblanc at gmail.com >> a écrit :
> > 
> > Hi Stian,
> > 
> > Thanks for your precisions, we have choose to implement the solution
> > of a time based password.
> > Using a ServletFilter and the Servlet 3.0 HttpRequest.login()
> > feature we're able to intercept token from query parameter and
> > propagate it to the JAAS stack. A dedicated LoginModule validate
> > this token to enforce principal in the EJB SecurityContext and,
> > according to this, our custom authorisation system is used ASIS
> > without the need to create a hook in the download operation.
> > This solution give the advantage to not interfer with the classic
> > OAuth authentication in case of using a XHR Header nor a RESTClient
> > that programmatically include the bearer token in the request header.
> > 
> > Thanks a lot for your support, Best Regards, Jérôme.
> > 
> > 
> > 
> > Le Wed Dec 17 2014 at 09:05:22, Stian Thorgersen < stian at redhat.com
> > <mailto: stian at redhat.com >> a écrit :
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Jérôme Blanchard" < jayblanc at gmail.com
> > <mailto: jayblanc at gmail.com >>
> > > To: "Stian Thorgersen" < stian at redhat.com
> > <mailto: stian at redhat.com >>
> > > Cc: keycloak-user at lists.jboss.org
> > <mailto: keycloak-user at lists. j boss.org >
> > > Sent: Tuesday, 16 December, 2014 5:51:37 PM
> > > Subject: Re: [keycloak-user] HTML5/JS and download URL.
> > > 
> > > Hi,
> > > 
> > > Thank you for your answer. Sorry for my lake of knowledge in
> > OAuth but
> > > speaking about generating a temporary token to include in the
> > link, what
> > > kind of token do you mean and what is the best way to do that
> > with Keycloak.
> > 
> > We don't have any support for this at the moment so you would
> > have to make it yourself. With regards to token all I mean is a
> > something temporary that allows the server to verify the user
> > has permissions to download the file.
> > 
> > For example the token could be the base64 encoded signature
> > (hmac, rsa or whatever you'd like) of userid,
> > timestamp/expiration and file-url. That way the server can
> > simply verify the signature on the server-side when the user is
> > trying to download the file and check that it matches.
> > 
> > > 
> > > Best regards, Jérôme.
> > > 
> > > 2014-12-15 16:49 GMT+01:00 Stian Thorgersen < stian at redhat.com
> > <mailto: stian at redhat.com >>:
> > > > 
> > > > 
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Jérôme Blanchard" < jayblanc at gmail.com
> > <mailto: jayblanc at gmail.com >>
> > > > > To: keycloak-user at lists.jboss.org
> > <mailto: keycloak-user at lists. j boss.org >
> > > > > Sent: Monday, 15 December, 2014 3:13:06 PM
> > > > > Subject: [keycloak-user] HTML5/JS and download URL.
> > > > > 
> > > > > Hi all,
> > > > > We have a use case where an HTML5/Angular application is
> > calling a REST
> > > > > interface using keycloak for authentication SSO.
> > Everything works fine
> > > > until
> > > > > we need to download files or preview images (using <img>
> > tag). In both
> > > > case,
> > > > > this is the browser which perform the request on the REST
> > url and,
> > > > because
> > > > > of a specific XHR authentication putting the bearer token
> > in the
> > > > headers, a
> > > > > 'classic' browser request for downloading a file result in an
> > > > > UNauthenticated request because of unexisting bearer token.
> > > > > 
> > > > > We're minding if there is a best practice to handle this
> > case. We plan to
> > > > > include a dedicated token as a download request parameter
> > and to check
> > > > this
> > > > > particular query paramter programmatically in the
> > /download JAX-RS
> > > > > operation. What kind of token should have to put in the
> > query and is
> > > > there
> > > > > an already existing mechanism to catch such token in
> > jax-rs server-side
> > > > > operations nor programmatically ?
> > > > 
> > > > We actually had the same issue in our admin console as we
> > provide a
> > > > download option for the application config. AFAIK there's
> > two solutions:
> > > > 
> > > > * Generate a temporary token - basically what you're
> > suggesting. There's
> > > > two ways you can do this, always generate one and add it to
> > the link,
> > > > second is to use a redirect that only generates the token
> > on demand
> > > > * Use XHR to get the file, which allows setting the
> > Authorization header,
> > > > then use JavaScript to download
> > > > 
> > > > There's currently no direct support for this in Keycloak,
> > but it would be
> > > > interesting to add.
> > > > 
> > > > > 
> > > > > Thanks a lot for your support and so good work, Best
> > Regards, Jérôme.
> > > > > 
> > > > > ______________________________ _____________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > <mailto: keycloak-user at lists. j boss.org >
> > > > > 
> > https://lists.jboss.org/__ mai lma__n/listinfo/keycloak- user
> > < https://lists.jboss.org/ mail man/listinfo/keycloak-user >
> > > > 
> > > 
> > 
> > 
> > 
> > ______________________________ _________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/ mailma n/listinfo/keycloak-user
> > 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> ______________________________ _________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/ mailma n/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list