[keycloak-dev] cors setup simplification?
Bill Burke
bburke at redhat.com
Tue May 20 10:07:52 EDT 2014
On 5/20/2014 9:33 AM, Stian Thorgersen wrote:
> I like the idea of not having to specify the web-origins, but I wonder if there are use-cases for having web-origins that can't be calculated from the redirect-uris.
>
I just can't see a case for this. Let's just let users tell us we need
this control. Right now, the web origin is always set to the
protocol://hostname of the application or oauth client.
> Also, the web-origins is used by Keycloak's own endpoints. In this case "Cross-Origin Tokens" doesn't make sense.
>
You're talking about the Account Service correct? Well, I'm changing
that! :) How you implemented CORS support for the Account Service is
not how web-origins were intended to be used.
Tokens are created for a specific client (app or oauth). The
web-origins for that issuedFor client are stuffed into the token created
specifically for that client. Basically, its saying this token is
allowed to come from this set of origins.
What Web-Origins are not origin permissions for that application/client.
When you specify a web origin for the Account Service (or any other
application) in the admin console, this is not origins that are allowed
to call the account service! But instead, the origins allowed for token
requests made from tokens created for the Account Service. Am I making
sense?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list