Re: [keycloak-dev] changes to admin ui login/bootstrap

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Thursday, 17 October, 2013 11:30:08 PM > Subject: Re: [keycloak-dev] changes to admin ui login/bootstrap > > > > On 10/17/2013 4:42 AM, Stian Thorgersen wrote: >> I strongly feel this is a mistake. We need to find a way to make the admin >> console use Keycloak without any hacks. In my opinion the admin console >> should use keycloak.js as it's a client-side application. For client-side >> applications the credentials should be public so can just be >> pre-configured to a well-known string. >> >> Safety of client-side applications are provided by two things: firstly the >> application credentials themselves don't give you any privileges, secondly >> the redirect uri should be verified by Keycloak preventing unauthorized >> use of the credentials. >> >> If we can't come up with a good and safe approach to using Keycloak with >> HTML5 and mobile applications the project is a huge fail! If we're not >> using it directly ourselves for our HTML5 console that doesn't sound right >> to me. >> > > #1 I want Keycloak ready to use out of the box and be as secure and > locked down as possible. This requirement may or may not effect the > implementation of the admin ui or admin REST interfaces. > > #2 We don't support CORS yet so doing keycloak.js approach is not an > option at the moment. I'm going to tackle that now as I don't think its > that much work and this would be a really cool core feature. I've already started work on keycloak.js + CORS support. As I mentioned on our Hangout having a good way to support HTML5 applications is a strong requirement for MBaaS so that is something I'm look at now