Ok, I'll whip up a PR to make the change, I'll keep you
posted here.
On Thu, Nov 7, 2019 at 2:19 PM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> +1
>
> On Thu, 7 Nov 2019 at 14:13, Michal Hajas <mhajas(a)redhat.com> wrote:
>
>> +1
>>
>> On Thu, Nov 7, 2019 at 2:10 PM Jon Koops <jonkoops(a)gmail.com> wrote:
>>
>>> If you ask me this is undocumented behaviour, and it's not secure so
>>> I'd just remove it.
>>>
>>> On Thu, Nov 7, 2019 at 2:08 PM Michal Hajas <mhajas(a)redhat.com> wrote:
>>>
>>>> To me it looks like it is quite a security issue to use confidential
>>>> clients with javascript adapter. Isn't it kind of ok to break it for
those
>>>> which are using it in that case?
>>>>
>>>> Michal
>>>>
>>>> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops(a)gmail.com>
wrote:
>>>>
>>>>> Sure, how about I whip a PR much like this one
>>>>> <
https://github.com/keycloak/keycloak/pull/6318>. Would that
be
>>>>> acceptable?
>>>>>
>>>>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen
<sthorger(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> That'd work. As it's not documented we can probably
instead just log
>>>>>> a warning to the console?
>>>>>>
>>>>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops(a)gmail.com>
wrote:
>>>>>>
>>>>>>> We recently also deprecated non-native promises with the
intent to
>>>>>>> remove this behavior in the future. Would it not then make
sense to
>>>>>>> deprecate this behavior now and remove it eventually?
Especially
>>>>>>> considering this behavior is not very secure and just adds
extra cruft to
>>>>>>> the adapter code.
>>>>>>>
>>>>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <
>>>>>>> sthorger(a)redhat.com> wrote:
>>>>>>>
>>>>>>>> It might be there from the early days when we didn't
have public
>>>>>>>> clients.
>>>>>>>> I'd probably just keep it in case someone is using it
with a
>>>>>>>> confidential
>>>>>>>> client as removing it would break it for them. Although
strictly
>>>>>>>> speaking
>>>>>>>> you shouldn't use a confidential client with a
client-side app.
>>>>>>>>
>>>>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas
<mhajas(a)redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> > Hello,
>>>>>>>> >
>>>>>>>> > in Javascript adapter we have a possibility to
configure a
>>>>>>>> client secret
>>>>>>>> > [1] in order to use Basic authorization for requests
for token
>>>>>>>> endpoint
>>>>>>>> > [2]. I haven't found any information in docs
about it and I don't
>>>>>>>> > understand why we have it there as public clients
don't have
>>>>>>>> secrets. Is
>>>>>>>> > this useful in some scenarios or we should remove
it?
>>>>>>>> >
>>>>>>>> > Michal
>>>>>>>> >
>>>>>>>> > [1]
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>>> > &
>>>>>>>> > <
>>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>>> >
>>>>>>>> > [2]
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>>> > &
>>>>>>>> > <
>>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>>>>>> > _______________________________________________
>>>>>>>> > keycloak-dev mailing list
>>>>>>>> > keycloak-dev(a)lists.jboss.org
>>>>>>>> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>> >
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>
>>>>>>>