[keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header

Sebastien Blanc sblanc at redhat.com
Mon Sep 18 09:50:31 EDT 2017


If you believe it's a bug, please open a detailed JIRA ticket, we will take
a look at it.


On Mon, Sep 18, 2017 at 2:22 PM, Gabriel Lavoie <glavoie at gmail.com> wrote:

> According to the tests added in
> https://github.com/keycloak/keycloak/commit/159b37197335cc56fbb2097086e96f
> c752da9e40,
> when the "access_token" parameter was added, I should be able to reach
> directly a REST endpoint using that query parameter. That does look like a
> bug with the Spring Security adapter.
>
> 2017-09-15 14:17 GMT-04:00 Gabriel Lavoie <glavoie at gmail.com>:
>
> > Hi,
> >      we have one use case where we want to use a access_token URL
> > parameter rather than the Authorization: Bearer header, to allow SSO
> from a
> > mobile app to Safari.
> >
> > KeycloakAuthenticationProcessingFilter.java (
> https://github.com/keycloak/
> > keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/
> > spring-security/src/main/java/org/keycloak/adapters/
> springsecurity/filter/
> > KeycloakAuthenticationProcessingFilter.java), the authentication flow is
> > different when using the query param vs the Authorization header. Any
> > reason for this?
> >
> > - Header: Upon successful authentication, the filter chain is processed
> to
> > the requested page.
> > - Query param: Upon successful authentication, default success handler is
> > called and user is redirected to a target page (/ by default) (first
> > condition of KeycloakAuthenticationProcessingFilter.
> > successfulAuthentication():
> >
> >
> > if (!(this.isBearerTokenRequest(request) || this.isBasicAuthRequest(
> request)))
> > {
> >     super.successfulAuthentication(request, response, chain,
> authResult);
> >     return;
> > }
> >
> > Thanks,
> >
> > Gabriel
> > --
> > Gabriel Lavoie
> > glavoie at gmail.com
> >
>
>
>
> --
> Gabriel Lavoie
> glavoie at gmail.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list