[keycloak-dev] Keycloak.js is inefficient and can be improved

Bill Burke bburke at redhat.com
Mon Feb 23 10:24:04 EST 2015



On 2/23/2015 9:38 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Monday, February 23, 2015 3:34:12 PM
>> Subject: Re: [keycloak-dev] Keycloak.js is inefficient and can be improved
>>
>> Verifying the token would be a must for implicit flow, IMO.  Not so much
>> for access code flow though.
>
> Should we add support for implicit flow?
>

No, as it looks like implicit flow can leak access tokens into the 
browser history which could lead to accidental bookmarks or rogue 
scripts looking at browser history.  Code is protected as the code can 
only be used once, so if it leaks there's not much you can do about it. 
  Especially if you enforce CORS origin validation (which I don't think 
we do right now).

>>
>> For access code flow it is not really possible to fool the javascript
>> provider because of the "state" parameter, and obtaining an access token
>> happens out of band.
>
> We support passing tokens to keycloak.js to initialize it, but not sure if that could be exploited
>

Not sure what that feature is or if it should even be supported.  Sounds 
close to what the implicit flow is.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list