[keycloak-dev] changes to admin ui login/bootstrap

Fri Oct 18 13:20:49 EDT 2013

I've been focused on what's needed to get keycloak.js to work..

* I've added a list of web origins to the client (UserModel)
* Alexandre has added this to the admin console (application page)
* I've added support for CORS to TokenService.accessCodeToToken
* Tested basic JS example to work with CORS

Been considering what to do for authorized requests (bearer token). And came to same conclusion as you. However, I was going to send the value of the Origin header, not '*'. Then verify when the actual header comes in. I was actually thinking about doing returning a 400/403 or something like that if the Origin does match one specified on the client. The first thing I was thinking about adding to use this was a method to allow retrieving the user profile for the currently logged in user. Then I was going to talk to you about what we could do to add it to SaasService.

I've not looked at it from the perspective of adding it to adapters, only to support it for the Keycloak server itself.

I was in the process of cleaning this up, then the plan was to let you have a look at it before merging it upstream. 

I've also had a look at what others are doing at it seems like Google for example just returns an allowed origins that matches whatever the origin was. It seems to completely disregard the values you specify through the console itself (of which I can't quite figure out what their purpose is).

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 18 October, 2013 5:49:51 PM
> Subject: Re: [keycloak-dev] changes to admin ui login/bootstrap
> 
> 
> 
> On 10/18/2013 12:15 PM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 17 October, 2013 11:30:08 PM
> >> Subject: Re: [keycloak-dev] changes to admin ui login/bootstrap
> >>
> >>
> >>
> >> On 10/17/2013 4:42 AM, Stian Thorgersen wrote:
> >>> I strongly feel this is a mistake. We need to find a way to make the
> >>> admin
> >>> console use Keycloak without any hacks. In my opinion the admin console
> >>> should use keycloak.js as it's a client-side application. For client-side
> >>> applications the credentials should be public so can just be
> >>> pre-configured to a well-known string.
> >>>
> >>> Safety of client-side applications are provided by two things: firstly
> >>> the
> >>> application credentials themselves don't give you any privileges,
> >>> secondly
> >>> the redirect uri should be verified by Keycloak preventing unauthorized
> >>> use of the credentials.
> >>>
> >>> If we can't come up with a good and safe approach to using Keycloak with
> >>> HTML5 and mobile applications the project is a huge fail! If we're not
> >>> using it directly ourselves for our HTML5 console that doesn't sound
> >>> right
> >>> to me.
> >>>
> >>
> >> #1  I want Keycloak ready to use out of the box and be as secure and
> >> locked down as possible.  This requirement may or may not effect the
> >> implementation of the admin ui or admin REST interfaces.
> >>
> >> #2 We don't support CORS yet so doing keycloak.js approach is not an
> >> option at the moment.  I'm going to tackle that now as I don't think its
> >> that much work and this would be a really cool core feature.
> >
> > I've already started work on keycloak.js + CORS support. As I mentioned on
> > our Hangout having a good way to support HTML5 applications is a strong
> > requirement for MBaaS so that is something I'm look at now
> >
> 
> Would be good to know what you're doing for this.  This requires support
> at multiple layers to support it as a core keycloak feature.  I've done
> most of the work, just have the admin UI left.
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 