[keycloak-user] WebSockets

Marek Posolda mposolda at redhat.com
Wed Aug 5 09:39:07 EDT 2015


On 5.8.2015 15:04, Juraci Paixão Kröhling wrote:
> On 08/05/2015 01:52 PM, Marek Posolda wrote:
>> Doing at the beginning of the connection might be easy. We may just need
>> to add support to adapters for authentication via bearer token sent in
>> URL query parameter or in the POST body. There is also specs for it
>> http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param
>
> The main problem with this is that a token might be valid at the time 
> the connection is made, but might not be valid after some time, while 
> the socket is still opened. So, a socket that was opened with a 
> session that just expired would still be open.
>
> Perhaps undertow provides something that would allow the adapter to 
> close sockets whose tokens are not valid anymore?
No idea, may require further investigation.

It will be cool if we have something like our iframe in keycloak.js to 
easily detect logout and close the socket based on it. Maybe it's 
possible the server will poll the client socket and ask for updated 
token from the client periodically. I am not sure about the possible and 
best option TBH (not have deep websocket knowledge)

Marek
> - Juca.



More information about the keycloak-user mailing list