[keycloak-user] WebSockets
pslegr
pslegr at redhat.com
Wed Aug 5 04:50:52 EDT 2015
On 5.8.2015 10:47, Marek Posolda wrote:
> There is also another example
> https://github.com/secondsun/wildfly-secured-websocket , where client
> is javascript application . It's based on web.xml security and the
> client and server are both in same web application. Unfortunately I
> don't know if it can work if client and server are in different
> applications, as it seems that there is no way for add additional HTTP
> headers on client in javascript websockets API (at least according to
> http://stackoverflow.com/questions/4361173/http-headers-in-websockets-client-api
> ). So adding "Authorization: Bearer" looks like a challenge here.
Exactly, same experience here !
I was not able to handle the JS api and intercept with Authorization
header there
On the Java client worked fine
>
> Marek
>
> On 5.8.2015 09:54, pslegr wrote:
>> Hello Juraci,
>>
>> maybe other Keycloak core devs might have having other recommendations,
>> never-less I've put up an example for our project
>> https://github.com/pslegr/pnc/commit/873e875d657215890b9b9aafe93b2138ae946ec5
>> which uses Keycloak to secure the WS endpoint.
>> The point is to intercept the initial HttpRequest and add an
>> AuthorizationHeader
>> into this one.
>>
>> ...
>> List<String> authHeader = new ArrayList<String>();
>> authHeader.add("Bearer " + authenticate());
>> headers.put("Authorization", authHeader);
>>
>> ...
>>
>> This is done before protocol upgrade into WS/WSS.
>>
>> I don't see any other way doing this so far....
>>
>> regards
>> Pavel
>>
>> On 4.8.2015 16:44, Juraci Paixão Kröhling wrote:
>>> I'm currently looking into the best way to perform authentication for
>>> WebSockets, and it seems that the best (only?) option so far is to
>>> handle this on the socket's endpoint itself.
>>>
>>> But before I start with some library for the other Hawkular components
>>> to consume, I'd like to ask if there's a best practices/recommendations
>>> for doing WebSocket authentication with Keycloak.
>>>
>>> My plan right now is to require the endpoints to inject a service that
>>> would accept a message and session, closing the session on this service
>>> if the login data is not provided (login data == token, send on the
>>> first message, at least at first).
>>>
>>> Ideas/thoughts?
>>>
>>> - Juca.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150805/26f07365/attachment.html
More information about the keycloak-user
mailing list