[keycloak-user] Securing Web Apps with Sessions and KeyCloak?

[Alex Berg]

Hello KeyCloak users,

I spent tons of time trying to find an example of using KeyCloak to secure
an https-cookie-based session id for managing user sessions, but I can't
find it. I found examples which demonstrate using the OID redirect flow
from an AngularJS app to get tokens, but I'm concerned about the security
of storing this token in JS-land in a browser. I suspect a malicious script
could grab it and impersonate the user. Also, I don't know of any websites
I use which use this flow, but I'm new to managing user accounts so it
could be invisible to me.

I was thinking I'd like to send have a form which sends the user's id and
secret to my server, then turn it into session id to keep on an https
cookie. Or perhaps this is "the old way" of doing auth?

Anyway, is my concerns unwarranted? Is common practice now to simply treat
my browser app as an OID client and pass a user token when requesting data
from the server?

Thanks for KeyCloak! I love how easy it is to deploy it as containers! I
was originally planning to use Gluu, but they have a pretty crappy story
for deploying as containers. Also, the KeyCloak docs and examples are
simply more relate-able! Nice work on those!

- Alex