----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, February 23, 2015 4:24:04 PM
Subject: Re: [keycloak-dev] Keycloak.js is inefficient and can be improved
On 2/23/2015 9:38 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, February 23, 2015 3:34:12 PM
>> Subject: Re: [keycloak-dev] Keycloak.js is inefficient and can be improved
>>
>> Verifying the token would be a must for implicit flow, IMO. Not so much
>> for access code flow though.
>
> Should we add support for implicit flow?
>
No, as it looks like implicit flow can leak access tokens into the
browser history which could lead to accidental bookmarks or rogue
scripts looking at browser history. Code is protected as the code can
only be used once, so if it leaks there's not much you can do about it.
Especially if you enforce CORS origin validation (which I don't think
we do right now).
I agree, but we often get requests for it, so I was wondering if we should make an option
on the realm to enable.
We only allow CORS origins that have been explicitly configured for the application.
>>
>> For access code flow it is not really possible to fool the javascript
>> provider because of the "state" parameter, and obtaining an access
token
>> happens out of band.
>
> We support passing tokens to keycloak.js to initialize it, but not sure if
> that could be exploited
>
Not sure what that feature is or if it should even be supported. Sounds
close to what the implicit flow is.
Nothing like implicit. Basically the idea was that someone could store the refresh token
in HTML5 local or session storage and then use it to re-initialize keycloak.js when the
page is refreshed.
One issue with keycloak.js is that every time you refresh the page the app is re-logged-in
(creating a new client session), same if you have multiple tabs open. I was thinking we
should introduce an option to allow storing the refresh token in html5 storage to prevent
this. We could also store the token, which would be useful to prevent refreshing the token
multiple times if there's multiple tabs open to the same app.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com