Search for 'input_key' in Request Cookies

[lauritzh]

Hey there!

We recently had a use case where we wanted to use HttpOnly Cookies to transfer the Keycloak JWT instead of the Authorization header. The modifications to achieve that were rather minimal:

We basically only had to add ?? $this->request->cookies->get($inputKey) to https://github.com/robsontenorio/laravel-keycloak-guard/blob/master/src/KeycloakGuard.php#L61C56-L61C63.

/**
* Get the token for the current request.
*
* @return string
*/
public function getTokenForRequest()
{
  $inputKey = $this->config['input_key'] ?? "";
  return $this->request->bearerToken() ?? $this->request->input($inputKey) ?? $this->request->cookies->get($inputKey);
}

Maybe this is a use case that is also interesting for others?

Best,
Lauritz

[robsontenorio]

How do you send a request to your API using cookies ? As far I know APIs are stateless.

[lauritzh]

Hey @robsontenorio,

Thanks for having a look into this! :)

Not sure if I understood you question correctly. On a high-level, this is what we do:
The API is used by a Single Page Application (SPA). We have a BFF component that performs the SSO flow with Keycloak and securely stores the long-living refresh_token on the server side. The access_token is then set as HttpOnly cookie for the end-user.

The APIs are then directly used via JavaScript, the browser sends the Keycloak access_token along automatically as cookie, instead of having to manually add the token within the Authorization header or as query parameter for every API request.

This way, we can even protect the access_token from being directly accessible via JavaScript at all (HttpOnly cookie).

---

Just wanted to let you know that we had a use case where we tweaked the guard a bit. Not sure if this is something that could be useful to others.

Best,

Lauritz

[robsontenorio]

Can I you send a PR with tests ? Please, also change the README.