[keycloak-user] Securing Web Apps with Sessions and KeyCloak?

Kevin Berendsen kevin.berendsen at pharmapartners.nl
Fri Apr 14 06:14:09 EDT 2017 

Hi Alex

I understand your concern.  Using the standard flow means that the user is directed to your keycloak instance, logs in and returns an autherization code to your browser which the user finally turns into an access token. By default these access tokens only live for 5 minutes which means if there's a malicious script on the end user's computer, he will have a hard time to constantly use his access token.  But honestly, these flaws can also happen if you have a cookie stored locally.

And then again, the probability of your Keycloak instance to be hacked or under attack is very small. If you happen to be hacked, it's usually because they found a way to access Keycloak's machine by bypassing SSH or whatsoever. 

So use HTTPS and follow the basic guidelines on creating a public client and you're good to go.  If you're interested in how these flow work in detail, search for OAuth2 protocol and you will find plenty of information that could be very helpful.

Kind regards,

Kevin

-----Oorspronkelijk bericht-----
Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Namens Alex Berg
Verzonden: donderdag 13 april 2017 22:40
Aan: keycloak-user at lists.jboss.org
Onderwerp: [keycloak-user] Securing Web Apps with Sessions and KeyCloak?

Hello KeyCloak users,

I spent tons of time trying to find an example of using KeyCloak to secure an https-cookie-based session id for managing user sessions, but I can't find it. I found examples which demonstrate using the OID redirect flow from an AngularJS app to get tokens, but I'm concerned about the security of storing this token in JS-land in a browser. I suspect a malicious script could grab it and impersonate the user. Also, I don't know of any websites I use which use this flow, but I'm new to managing user accounts so it could be invisible to me.

I was thinking I'd like to send have a form which sends the user's id and secret to my server, then turn it into session id to keep on an https cookie. Or perhaps this is "the old way" of doing auth?

Anyway, is my concerns unwarranted? Is common practice now to simply treat my browser app as an OID client and pass a user token when requesting data from the server?

Thanks for KeyCloak! I love how easy it is to deploy it as containers! I was originally planning to use Gluu, but they have a pretty crappy story for deploying as containers. Also, the KeyCloak docs and examples are simply more relate-able! Nice work on those!

- Alex
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list