[keycloak-user] OIDC access_token URL parameter rather than Bearer Authentication header

Gabriel Lavoie glavoie at gmail.com
Mon Sep 18 13:19:54 EDT 2017


Hi Sebastien,
     I will, when a PR is ready to submit. I must fix this for a new use
case we have.

Gabriel

2017-09-18 9:50 GMT-04:00 Sebastien Blanc <sblanc at redhat.com>:

> If you believe it's a bug, please open a detailed JIRA ticket, we will
> take a look at it.
>
>
> On Mon, Sep 18, 2017 at 2:22 PM, Gabriel Lavoie <glavoie at gmail.com> wrote:
>
>> According to the tests added in
>> https://github.com/keycloak/keycloak/commit/159b37197335cc56
>> fbb2097086e96fc752da9e40,
>> when the "access_token" parameter was added, I should be able to reach
>> directly a REST endpoint using that query parameter. That does look like a
>> bug with the Spring Security adapter.
>>
>> 2017-09-15 14:17 GMT-04:00 Gabriel Lavoie <glavoie at gmail.com>:
>>
>> > Hi,
>> >      we have one use case where we want to use a access_token URL
>> > parameter rather than the Authorization: Bearer header, to allow SSO
>> from a
>> > mobile app to Safari.
>> >
>> > KeycloakAuthenticationProcessingFilter.java (
>> https://github.com/keycloak/
>> > keycloak/blob/2cadf0a2602065c32140de5c1c7394900ae55a65/adapters/oidc/
>> > spring-security/src/main/java/org/keycloak/adapters/springse
>> curity/filter/
>> > KeycloakAuthenticationProcessingFilter.java), the authentication flow
>> is
>> > different when using the query param vs the Authorization header. Any
>> > reason for this?
>> >
>> > - Header: Upon successful authentication, the filter chain is processed
>> to
>> > the requested page.
>> > - Query param: Upon successful authentication, default success handler
>> is
>> > called and user is redirected to a target page (/ by default) (first
>> > condition of KeycloakAuthenticationProcessingFilter.
>> > successfulAuthentication():
>> >
>> >
>> > if (!(this.isBearerTokenRequest(request) ||
>> this.isBasicAuthRequest(request)))
>> > {
>> >     super.successfulAuthentication(request, response, chain,
>> authResult);
>> >     return;
>> > }
>> >
>> > Thanks,
>> >
>> > Gabriel
>> > --
>> > Gabriel Lavoie
>> > glavoie at gmail.com
>> >
>>
>>
>>
>> --
>> Gabriel Lavoie
>> glavoie at gmail.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
Gabriel Lavoie
glavoie at gmail.com


More information about the keycloak-user mailing list