Description
The bearer token seems to be expected to be in Authorization Header only. It is a point to note that not all applications are conformed to use of Authorization Headers. For example, some applications, spring boot apps use both authorization headers and the url request query parameter access_token, some even cookies.
The current situation limits flexibility and interoperability of applications that communicate together via Rest API,Solving this problem will make it easier for developers to specify areas to look for the token that suites their specific needs. Otherwise It can be a lot of work having to rewrite application that depends on the application based node keycloack to force them to use Authorization headers for bearer tokens.
Details
This can be implemented as configurations which allows a developer to specify part of the request where the token should be extracted from, and that can be
The name of the header, for some they could want to use custom headers, the default could be Authorization.
Description
Description The bearer token seems to be expected to be in Authorization Header only. It is a point to note that not all applications are conformed to use of Authorization Headers. For example, some applications, spring boot apps use both authorization headers and the url request query parameter
access_token
, some even cookies.Discussion
https://github.com/keycloak/keycloak-nodejs-connect/issues/349
Motivation
The current situation limits flexibility and interoperability of applications that communicate together via Rest API,Solving this problem will make it easier for developers to specify areas to look for the token that suites their specific needs. Otherwise It can be a lot of work having to rewrite application that depends on the application based node keycloack to force them to use Authorization headers for bearer tokens.
Details
This can be implemented as configurations which allows a developer to specify part of the request where the token should be extracted from, and that can be