[keycloak-user] WebSockets
Bill Burke
bburke at redhat.com
Wed Aug 5 11:27:39 EDT 2015
On 8/5/2015 9:04 AM, Juraci Paixão Kröhling wrote:
> On 08/05/2015 01:52 PM, Marek Posolda wrote:
>> Doing at the beginning of the connection might be easy. We may just need
>> to add support to adapters for authentication via bearer token sent in
>> URL query parameter or in the POST body. There is also specs for it
>> http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param
>
> The main problem with this is that a token might be valid at the time
> the connection is made, but might not be valid after some time, while
> the socket is still opened. So, a socket that was opened with a session
> that just expired would still be open.
>
> Perhaps undertow provides something that would allow the adapter to
> close sockets whose tokens are not valid anymore?
>
In most cases, a logout can be covered in a browser app that uses
keycloak.js. When the browser app detects a logout it just closes all
websocket connections.
Keycloak is not going to secure each individual websocket request as
this communication is all proprietary. Its up to you guys to transmit
and validate the token in your own protocol. Keycloak can only transmit
and validate the token on the initial connect, as that is standardized.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list