[keycloak-user] Confidential RESTful client

Stian Thorgersen sthorger at redhat.com
Tue Feb 23 01:11:09 EST 2016


As long as you use HTTPS and make sure you set redirect uris correctly it's
secure. The authorization code has a short lifespan so there's very low
chance that someone could retrieve it from the browser history. Further the
redirect uris prevent other applications from sniffing it.

I don't see how what you are proposing would be any more secure. You still
have to transfer the token to the HTML5 application. So you've used moved
the problem from the interaction between Keycloak to a custom
implementation on your end.

On 19 February 2016 at 23:18, Bruce Shaw <battery4cid at gmail.com> wrote:

> I have a AngularJs single page web-app that makes RESTful API calls to get
> secured data from our server (Play Framework).  I originally set it up to
> be a public client using the keycloak.js adapter but I’m wondering if
> there’s a more secure way.
>
> Instead of having the redirect response (with the authorization code) come
> back to the keycloak.js followed by the request to get the access token,
> wouldn’t it be more secure to have the javascript post the returned
> authorization code to our server or just set the redirect url to an
> endpoint on our server to make the backchannel request (with client secret
> and id) for the access token?  Then we can redirect the user to the
> appropriate location with the access token in the response?
>
> I guess I’m trying to make my RESTful api a confidential client, any input
> or direction would help.
>
> thanks.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160223/40ce3114/attachment.html 


More information about the keycloak-user mailing list