[keycloak-user] WebSockets
Stian Thorgersen
stian at redhat.com
Tue Aug 11 01:23:46 EDT 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 10 August, 2015 4:10:36 PM
> Subject: Re: [keycloak-user] WebSockets
>
>
>
> On 8/10/2015 9:48 AM, Juraci Paixão Kröhling wrote:
> > On 08/10/2015 03:26 PM, Bill Burke wrote:
> >> Once the WeBSocket is established there is
> >> actually no reason to resend the token as the connection/socket remains
> >> open. HTTP requests are different. They need to retransmit the token
> >> because HTTP is connectionless and assumes every request is a different
> >> connection. For browser apps, logout can be handled in the regular way
> >> with keycloak.js. Non-browser apps can just rely on non-browser means.
> >>
> >> All the server needs is a way to validate and unpack the token. Refresh
> >> should be handled at the client side through keycloak.js or some other
> >> oauth library. For bearer token auth, it is not the responsibility of
> >> the server to manage the token.
> >
> > Not sure I get it. Are you saying that my server endpoint should trust
> > that the client will close the connection once the token expires/is
> > invalidated?
> >
>
> I didn't say that. You just don't have to retransmit the token every
> request because in WebSockets the connection is already established.
>
> You are going to have to rely on the client to get a new token and
> reconnect. Keycloak can't support every single pet protocol implemented
> on top of WebSockets. We can only offer token validation on HTTP
> Upgrade out-of-the-box plus an API to unpack and validate a token.
> Anything more and you'll have to implement it yourself.
>
> IMO, abort with an error code, the client destroys the WebSocket,
> refreshes the token via OAuth, and reestablishes the WebSocket. Its
> the simplest way and we can provide support for it OOTB with Keycloak's
> adapter lib. Otherwise you'll have to implement anything more complex
> yourself.
I know there's no standard protocol, but I still think the token should be sent through the socket itself not as part of the url. I don't like sending it as the url for one, secondly having to drop and re-create the socket every time the token expires negates the purpose of web sockets somewhat.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list