Re: [keycloak-dev] cors setup simplification?

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Tuesday, 20 May, 2014 3:07:52 PM > Subject: Re: [keycloak-dev] cors setup simplification? > > > > On 5/20/2014 9:33 AM, Stian Thorgersen wrote: >> I like the idea of not having to specify the web-origins, but I wonder if >> there are use-cases for having web-origins that can't be calculated from >> the redirect-uris. >> > > I just can't see a case for this. Let's just let users tell us we need > this control. Right now, the web origin is always set to the > protocol://hostname of the application or oauth client. > >> Also, the web-origins is used by Keycloak's own endpoints. In this case >> "Cross-Origin Tokens" doesn't make sense. >> > > You're talking about the Account Service correct? Well, I'm changing > that! :) How you implemented CORS support for the Account Service is > not how web-origins were intended to be used. > > Tokens are created for a specific client (app or oauth). The > web-origins for that issuedFor client are stuffed into the token created > specifically for that client. Basically, its saying this token is > allowed to come from this set of origins. > > What Web-Origins are not origin permissions for that application/client. > When you specify a web origin for the Account Service (or any other > application) in the admin console, this is not origins that are allowed > to call the account service! But instead, the origins allowed for token > requests made from tokens created for the Account Service. Am I making > sense? Yep, it makes more sense for the account service that way. I was thinking about token service though, both code->token and refresh-token are called from JS and need web-origins configured on them.