<div dir="ltr">Hi Stian and Bill,<div><br></div><div>I've posted some questions regarding this topic before but I thought I'd start a new thread to keep things focused:</div><div><br></div><div>I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) backend modules. To add authentication and authorization to this application, I'd like to use keycloak</div>
<div><br></div><div>* as a user and role management front-end</div><div>* to provide a customizable login page (works very well by the way ;)</div><div>* as an OAuth 2.0 token provider</div><div>* to add user and role information to the HTTPRequests in my REST/ backend modules</div>
<div><br></div><div>To do this, I'm currently looking at keycloak.js and the customer-app-js example. However, I'm wondering whether this is really the best way to go. In a reply to an earlier post of mine you mentioned that the keycloak admin console is written in AngularJS and that you are using HTTP-only cookies there.</div>
<div><br></div><div>However, in keycloak.js and the customer-app-js example you are retrieving the token in the JS app and adding an authorization header with a bearer token to the HTTP requests.</div><div><br></div><div>
So here are my questions: </div><div><br></div><div>* Is there a reason you are using two different approaches in the admin console and the official demo app? </div><div>* which one of the two approaches (bearer tokens vs. HTTP-only cookie) will you support/ will be the officially recommended one for HTML5/ client side JavaScript applications in keycloak?</div>
<div>* am I right in assuming that you haven't quite decided yet which approach to use and that you are still discussing this in the keycloak team?</div><div><br></div><div>Looking forwards to your reply!<br></div><div>
Cheers,</div><div>Nils</div></div>