Re: [keycloak-dev] Credentials in javascript adapter

+1 On Thu, Nov 7, 2019 at 2:10 PM Jon Koops <jonkoops(a)gmail.com&gt; wrote: > If you ask me this is undocumented behaviour, and it's not secure so I'd > just remove it. > > On Thu, Nov 7, 2019 at 2:08 PM Michal Hajas <mhajas(a)redhat.com&gt; wrote: > >> To me it looks like it is quite a security issue to use confidential >> clients with javascript adapter. Isn't it kind of ok to break it for those >> which are using it in that case? >> >> Michal >> >> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops(a)gmail.com&gt; wrote: >> >>> Sure, how about I whip a PR much like this one >>> <https://github.com/keycloak/keycloak/pull/6318>;. Would that be >>> acceptable? >>> >>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger(a)redhat.com&gt; >>> wrote: >>> >>>> That'd work. As it's not documented we can probably instead just log a >>>> warning to the console? >>>> >>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops(a)gmail.com&gt; wrote: >>>> >>>>> We recently also deprecated non-native promises with the intent to >>>>> remove this behavior in the future. Would it not then make sense to >>>>> deprecate this behavior now and remove it eventually? Especially >>>>> considering this behavior is not very secure and just adds extra cruft to >>>>> the adapter code. >>>>> >>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger(a)redhat.com&gt; >>>>> wrote: >>>>> >>>>>> It might be there from the early days when we didn't have public >>>>>> clients. >>>>>> I'd probably just keep it in case someone is using it with a >>>>>> confidential >>>>>> client as removing it would break it for them. Although strictly >>>>>> speaking >>>>>> you shouldn't use a confidential client with a client-side app. >>>>>> >>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas(a)redhat.com&gt; wrote: >>>>>> >>>>>> > Hello, >>>>>> > >>>>>> > in Javascript adapter we have a possibility to configure a client >>>>>> secret >>>>>> > [1] in order to use Basic authorization for requests for token >>>>>> endpoint >>>>>> > [2]. I haven't found any information in docs about it and I don't >>>>>> > understand why we have it there as public clients don't have >>>>>> secrets. Is >>>>>> > this useful in some scenarios or we should remove it? >>>>>> > >>>>>> > Michal >>>>>> > >>>>>> > [1] >>>>>> > >>>>>> > >>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... >>>>>> > & >>>>>> > < >>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... >>>>>> > >>>>>> > >>>>>> > >>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... >>>>>> > >>>>>> > [2] >>>>>> > >>>>>> > >>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... >>>>>> > & >>>>>> > < >>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... >>>>>> > >>>>>> > >>>>>> > >>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai... >>>>>> > _______________________________________________ >>>>>> > keycloak-dev mailing list >>>>>> > keycloak-dev(a)lists.jboss.org >>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> > >>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>> >>>>>