<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/04/16 02:21, Anthony Fryer wrote:<br>
</div>
<blockquote
cite="mid:8EE3449CB6463C4FB0544A12CEA72DD7DEC08C8F@iskexcemxprd02.virginblue.internal"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        mso-fareast-language:EN-US;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Up until recently I automatically selected
to use implicit grant flow from SPAs, but lately I’ve been
re-assessing this since the keycloak javascript adapter
provides standard flow out of the box and makes that a viable
option. I also note that the keycloak admin console is a
HTML5/javascript/angular js app that uses the keycloak js
adapter and uses the standard flow. As a side note I find the
client defaults interesting in that Implicit flow is disabled,
but direct access grants are enabled (I’m coming from a
mitreid connect implementation where direct access grants
where disabled by default and implicit flow was enabled, so
just wonder what the thinking is behind this since direct
access grants are discouraged).</p>
</div>
</blockquote>
Direct grants is enabled mostly for backwards compatibility and for
having slightly easier some admin tasks. For example because direct
grant is enabled, you have possibility to invoke admin REST
endpoints once you start Keycloak, which is widely used in tests.
Without direct grants enabled, you would first need to manually go
to admin console and enable it for admin console client, but that's
not easily just with admin REST endpoints (outside admin console UI)
if it is disabled - in other words it's classic chicken-egg problem.<br>
<br>
The direct grants is discouraged mainly because it requires users to
enter their password in your app instead of Keycloak server.
However: <br>
- If your app is web-based and doesn't require direct grants, you
just won't ask users to enter their password into your app<br>
- If your app is not web-based and requires direct grants, you would
still need to enable direct grant and ask people to enter their
password into your application. If they don't trust it, they just
reject to enter password to your app.<br>
<br>
So from security and end-users perspective, there is not much
difference between the case when direct access grant is enabled or
disabled by default IMO.<br>
<blockquote
cite="mid:8EE3449CB6463C4FB0544A12CEA72DD7DEC08C8F@iskexcemxprd02.virginblue.internal"
type="cite">
<div class="WordSection1">
<p class="MsoNormal">I’m really wondering why are you pushing
standard flow from the keycloak javascript adapter instead of
implicit? What are the benefits that make standard flow
better in this case? One thing I have seen mentioned is
refresh tokens obtained in standard flow make it easy to get a
new access token, but I thought you could get refresh tokens
from the implicit flow anyway, and even if not, if a user logs
in with “remember me”, then getting a new access token doesn’t
require re-entering credentials by the user. I want to make
sure that when implementing keycloak in our SPA we choose the
best flow and want to know if there’s some reason standard
flow is best.</p>
</div>
</blockquote>
Yes, the refreshing tokens is not allowed in implicit flow per OIDC
specification. Also there are accessToken and idToken sent in the
URI fragment in implicit flow, which can in theory have some
security implications. <br>
<br>
So with implicit flow, you have to redirect to login screen (as you
mentioned above) instead of just simply refreshing tokens.
Redirecting to login screen is usually worse for performance-wise
than refreshing tokens and also requires some change in logic of
your javascript app, but it's doable (For example you can implement
callback keycloak.onTokenExpired or you can always manually check
the expiration on accessToken before sending refresh request to 3rd
party service). Logic for refreshing token in javascript app is
quite simple, you just need to wrap the REST call with
keycloak.update to ensure the accessToken is automatically refreshed
by adapter in case that it's expired (or going to be expired).
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<br>
<br>
Marek<br>
<blockquote
cite="mid:8EE3449CB6463C4FB0544A12CEA72DD7DEC08C8F@iskexcemxprd02.virginblue.internal"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" style="width:100.0%" border="0"
width="100%" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="width:142.5pt;background:white;padding:0cm
14.25pt 0cm 7.5pt" width="190">
<p class="MsoNormal" style="margin-bottom:15.0pt"><span
style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU">Regards,</span><span
style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:15.0pt"><span
style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU"><img
id="Picture_x0020_1"
src="cid:part1.06090604.00050101@redhat.com"
alt="Description: Description:
C:\Users\jayt\Desktop\tonyjay_sig_files\virginaustralia.gif"
height="59" width="167"></span><span
style="font-size:8.5pt;font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="width:100.0%;background:white;padding:0cm 0cm
0cm 0cm" width="100%">
<p class="MsoNormal"
style="margin-left:26.25pt;line-height:11.25pt"><b><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#D6083B;mso-fareast-language:EN-AU">Anthony
Fryer</span></b><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU">
| Solution Architect & Designer</span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:26.25pt;line-height:11.25pt"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU">Mb:
0438 781 745</span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-left:26.25pt;line-height:11.25pt"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU">Email:
<a moz-do-not-send="true"
href="mailto:anthony.fryer@virginaustralia.com"><span
style="color:blue">anthony.fryer@virginaustralia.com</span></a></span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:7.5pt;margin-right:0cm;margin-bottom:0cm;margin-left:26.25pt;margin-bottom:.0001pt;line-height:9.0pt"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU">Virgin
Australia group of airlines including Virgin
Australia,<br>
V Australia, Pacific Blue and Polynesian Blue</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#828A8F;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:0cm 0cm 0cm 0cm">
<p class="MsoNormal"
style="margin-left:26.25pt;line-height:11.25pt"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#999999;mso-fareast-language:EN-AU">Please
consider the environment before printing this email.</span><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#999999;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="mso-fareast-language:EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
The content of this e-mail, including any attachments, is a
confidential communication between Virgin Australia Airlines Pty
Ltd (Virgin Australia) or its related entities (or the sender if
this email is a private communication) and the intended addressee
and is for the sole use of that intended addressee. If you are not
the intended addressee, any use, interference with, disclosure or
copying of this material is unauthorized and prohibited. If you
have received this e-mail in error please contact the sender
immediately and then delete the message and any attachment(s).
There is no warranty that this email is error, virus or defect
free. This email is also subject to copyright. No part of it
should be reproduced, adapted or communicated without the written
consent of the copyright owner. If this is a private communication
it does not represent the views of Virgin Australia or its related
entities. Please be aware that the contents of any emails sent to
or from Virgin Australia or its related entities may be
periodically monitored and reviewed. Virgin Australia and its
related entities respect your privacy. Our privacy policy can be
accessed from our website: <a class="moz-txt-link-abbreviated" href="http://www.virginaustralia.com">www.virginaustralia.com</a>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>