[keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header

Gabriel Lavoie glavoie at gmail.com
Mon Sep 18 08:22:02 EDT 2017


According to the tests added in
https://github.com/keycloak/keycloak/commit/159b37197335cc56fbb2097086e96fc752da9e40,
when the "access_token" parameter was added, I should be able to reach
directly a REST endpoint using that query parameter. That does look like a
bug with the Spring Security adapter.

2017-09-15 14:17 GMT-04:00 Gabriel Lavoie <glavoie at gmail.com>:

> Hi,
>      we have one use case where we want to use a access_token URL
> parameter rather than the Authorization: Bearer header, to allow SSO from a
> mobile app to Safari.
>
> KeycloakAuthenticationProcessingFilter.java (https://github.com/keycloak/
> keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/
> spring-security/src/main/java/org/keycloak/adapters/springsecurity/filter/
> KeycloakAuthenticationProcessingFilter.java), the authentication flow is
> different when using the query param vs the Authorization header. Any
> reason for this?
>
> - Header: Upon successful authentication, the filter chain is processed to
> the requested page.
> - Query param: Upon successful authentication, default success handler is
> called and user is redirected to a target page (/ by default) (first
> condition of KeycloakAuthenticationProcessingFilter.
> successfulAuthentication():
>
>
> if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(request)))
> {
>     super.successfulAuthentication(request, response, chain, authResult);
>     return;
> }
>
> Thanks,
>
> Gabriel
> --
> Gabriel Lavoie
> glavoie at gmail.com
>



-- 
Gabriel Lavoie
glavoie at gmail.com


More information about the keycloak-user mailing list