[keycloak-dev] Keycloak.js is inefficient and can be improved

Stian Thorgersen stian at redhat.com
Mon Feb 23 10:36:26 EST 2015 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, February 23, 2015 4:24:04 PM
> Subject: Re: [keycloak-dev] Keycloak.js is inefficient and can be improved
> 
> 
> 
> On 2/23/2015 9:38 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Monday, February 23, 2015 3:34:12 PM
> >> Subject: Re: [keycloak-dev] Keycloak.js is inefficient and can be improved
> >>
> >> Verifying the token would be a must for implicit flow, IMO.  Not so much
> >> for access code flow though.
> >
> > Should we add support for implicit flow?
> >
> 
> No, as it looks like implicit flow can leak access tokens into the
> browser history which could lead to accidental bookmarks or rogue
> scripts looking at browser history.  Code is protected as the code can
> only be used once, so if it leaks there's not much you can do about it.
>   Especially if you enforce CORS origin validation (which I don't think
> we do right now).

I agree, but we often get requests for it, so I was wondering if we should make an option on the realm to enable. 

We only allow CORS origins that have been explicitly configured for the application.

> 
> >>
> >> For access code flow it is not really possible to fool the javascript
> >> provider because of the "state" parameter, and obtaining an access token
> >> happens out of band.
> >
> > We support passing tokens to keycloak.js to initialize it, but not sure if
> > that could be exploited
> >
> 
> Not sure what that feature is or if it should even be supported.  Sounds
> close to what the implicit flow is.

Nothing like implicit. Basically the idea was that someone could store the refresh token in HTML5 local or session storage and then use it to re-initialize keycloak.js when the page is refreshed. 

One issue with keycloak.js is that every time you refresh the page the app is re-logged-in (creating a new client session), same if you have multiple tabs open. I was thinking we should introduce an option to allow storing the refresh token in html5 storage to prevent this. We could also store the token, which would be useful to prevent refreshing the token multiple times if there's multiple tabs open to the same app.

> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>

More information about the keycloak-dev mailing list