[keycloak-dev] Cors origins in token
Bill Burke
bburke at redhat.com
Thu Nov 21 10:24:25 EST 2013
We could:
* Have a web-origin token that's stuffed in a custom header. We'd need
to think about any security implications surrounding that.
* Have the adapter query the auth-server at boot time to get a list of
allowed origins.
A web-origin token might be best then you can restrict a specific client
to only be able to invoke on a subset of origins.
On 11/21/2013 10:09 AM, Stian Thorgersen wrote:
> Is it correct that the adapters only read allowed web origins from the token? If so does that not mean that unless a user is authenticated CORS won't be enabled? I don't think that'll work.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list