[keycloak-user] Keycloak javascript client iframe policy

[Lukasz Lech]

Hello,

I haven't looked in internals how Javascript Keycloak client is speaking with keycloak server until the token refresh has stopped to work in one of our instalations, which was because firewall was adding per default HTTP header X-Frame-Options: sameorigin. Then I've found out Keycloak client is creating and manipulating iframe.

Is this solution really safe against CSRF attacks? I'm not an expert in that domain, but I've read recommendations to use Authorization: Bearer headers and call API directly, so I don't understand, why is this Iframe needed.

I have a bit problem now explaining WHY do we need to use Iframes and how (un)safe is it...

Best regards,
Lukasz Lech