Ok, I'll whip up a PR to make the change, I'll keep you posted here.
On Thu, Nov 7, 2019 at 2:19 PM Stian Thorgersen <sthorger(a)redhat.com> wrote:
+1
On Thu, 7 Nov 2019 at 14:13, Michal Hajas <mhajas(a)redhat.com> wrote:
> +1
>
> On Thu, Nov 7, 2019 at 2:10 PM Jon Koops <jonkoops(a)gmail.com> wrote:
>
>> If you ask me this is undocumented behaviour, and it's not secure so I'd
>> just remove it.
>>
>> On Thu, Nov 7, 2019 at 2:08 PM Michal Hajas <mhajas(a)redhat.com> wrote:
>>
>>> To me it looks like it is quite a security issue to use confidential
>>> clients with javascript adapter. Isn't it kind of ok to break it for
those
>>> which are using it in that case?
>>>
>>> Michal
>>>
>>> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops(a)gmail.com> wrote:
>>>
>>>> Sure, how about I whip a PR much like this one
>>>> <
https://github.com/keycloak/keycloak/pull/6318>. Would that be
>>>> acceptable?
>>>>
>>>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>>> wrote:
>>>>
>>>>> That'd work. As it's not documented we can probably instead
just log
>>>>> a warning to the console?
>>>>>
>>>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops(a)gmail.com>
wrote:
>>>>>
>>>>>> We recently also deprecated non-native promises with the intent
to
>>>>>> remove this behavior in the future. Would it not then make sense
to
>>>>>> deprecate this behavior now and remove it eventually? Especially
>>>>>> considering this behavior is not very secure and just adds extra
cruft to
>>>>>> the adapter code.
>>>>>>
>>>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> It might be there from the early days when we didn't have
public
>>>>>>> clients.
>>>>>>> I'd probably just keep it in case someone is using it
with a
>>>>>>> confidential
>>>>>>> client as removing it would break it for them. Although
strictly
>>>>>>> speaking
>>>>>>> you shouldn't use a confidential client with a
client-side app.
>>>>>>>
>>>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas
<mhajas(a)redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> > Hello,
>>>>>>> >
>>>>>>> > in Javascript adapter we have a possibility to configure
a client
>>>>>>> secret
>>>>>>> > [1] in order to use Basic authorization for requests for
token
>>>>>>> endpoint
>>>>>>> > [2]. I haven't found any information in docs about
it and I don't
>>>>>>> > understand why we have it there as public clients
don't have
>>>>>>> secrets. Is
>>>>>>> > this useful in some scenarios or we should remove it?
>>>>>>> >
>>>>>>> > Michal
>>>>>>> >
>>>>>>> > [1]
>>>>>>> >
>>>>>>> >
>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>> > &
>>>>>>> > <
>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>> >
>>>>>>> > [2]
>>>>>>> >
>>>>>>> >
>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>> > &
>>>>>>> > <
>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>> > _______________________________________________
>>>>>>> > keycloak-dev mailing list
>>>>>>> > keycloak-dev(a)lists.jboss.org
>>>>>>> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>> >
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>>>>>