[keycloak-user] Authenticate websocket communication
Benke, Tim
Tim.Benke at comlineag.de
Mon May 14 06:19:55 EDT 2018
Hello,
I’m trying out how to secure the websocket communication between a SPA and a Spring Java backend. According to the specification it’s not possible to set the authorization header in the initial HTTP communication. Instead it’s often suggested to perform authentication and authorization in the STOMP communication afterwards.
I looked a bit at keycloak’s spring security adapter, but it seems to be very focused on the HttpFacade and I’m wondering if the right way forward is to fake this interface for STOMP or somehow re-implement something that validates the token similarly.
Here’s a link to Spring’s docs that leaves open the part about using the token from STOMP’s headers:
https://github.com/spring-projects/spring-framework/blob/master/src/docs/asciidoc/web/websocket.adoc#token-authentication
Here’s a stackoverflow question about the problem. I’m not very fond of the alternative to send the token in the request’s URL as a query parameter, but it is indeed working correctly:
https://stackoverflow.com/questions/30887788/json-web-token-jwt-with-spring-based-sockjs-stomp-web-socket/39456274#39456274
Best regards,
Tim Benke
More information about the keycloak-user
mailing list