[keycloak-dev] Cors origins in token

[Stian Thorgersen]

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 21 November, 2013 3:24:25 PM
> Subject: Re: [keycloak-dev] Cors origins in token
> 
> We could:
> 
> * Have a web-origin token that's stuffed in a custom header.  We'd need
> to think about any security implications surrounding that.

I don't quite understand - would that not mean that the adapter would have to make some request to Keycloak in the first place?

> * Have the adapter query the auth-server at boot time to get a list of
> allowed origins.
> 
> A web-origin token might be best then you can restrict a specific client
> to only be able to invoke on a subset of origins.

One thing I was wondering about in the past was if the adapter could retrieve a lot of the configuration information at boot time (it could also refresh it at certain intervals). Then all you'd need to add to the app to configure it would be client id and secret.

I'm not 100% sure whether or not it would be safe to retrieve pub key this way though? But it is retrieved over https, and if you can't trust the https connection and the keycloak server are you not a bit f... any ways?

> 
> 
> On 11/21/2013 10:09 AM, Stian Thorgersen wrote:
> > Is it correct that the adapters only read allowed web origins from the
> > token? If so does that not mean that unless a user is authenticated CORS
> > won't be enabled? I don't think that'll work.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>