Re: [keycloak-dev] Cors origins in token
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 21 November, 2013 3:24:25 PM
Subject: Re: [keycloak-dev] Cors origins in token
We could:
* Have a web-origin token that's stuffed in a custom header. We'd need
to think about any security implications surrounding that.
I don't quite understand - would that not mean that the adapter would have to make
some request to Keycloak in the first place?
* Have the adapter query the auth-server at boot time to get a list
of
allowed origins.
A web-origin token might be best then you can restrict a specific client
to only be able to invoke on a subset of origins.
One thing I was wondering about in the past was if the adapter could retrieve a lot of the
configuration information at boot time (it could also refresh it at certain intervals).
Then all you'd need to add to the app to configure it would be client id and secret.
I'm not 100% sure whether or not it would be safe to retrieve pub key this way though?
But it is retrieved over https, and if you can't trust the https connection and the
keycloak server are you not a bit f... any ways?
On 11/21/2013 10:09 AM, Stian Thorgersen wrote:
> Is it correct that the adapters only read allowed web origins from the
> token? If so does that not mean that unless a user is authenticated CORS
> won't be enabled? I don't think that'll work.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev