Verifying the token would be a must for implicit flow, IMO. Not so much
for access code flow though.
For access code flow it is not really possible to fool the javascript
provider because of the "state" parameter, and obtaining an access token
happens out of band.
On 2/23/2015 9:26 AM, Stian Thorgersen wrote:
Looks pretty cool.
I was wondering if we should verify the token in keycloak.js, not sure if it's
necessary, but if someone could pass an invalid token to keycloak.js somehow they could
potentially fool it into using it
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Monday, February 9, 2015 11:51:04 PM
> Subject: [keycloak-dev] Keycloak.js is inefficient and can be improved
>
> I had a good discussion on OAuth list about javascript and implicit flow
> vs. auth-code flow. It was pointed out that auth-code flow has some
> extra hops that can be avoided if you implement "response_mode=fragment".
>
> See this:
>
>
https://issues.jboss.org/browse/KEYCLOAK-1033
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com