I'm a bit on the fence. We could just break it and document it in update +
release notes to give folks a heads up.
On Thu, 7 Nov 2019 at 14:08, Michal Hajas <mhajas(a)redhat.com> wrote:
To me it looks like it is quite a security issue to use confidential
clients with javascript adapter. Isn't it kind of ok to break it for those
which are using it in that case?
Michal
On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops(a)gmail.com> wrote:
> Sure, how about I whip a PR much like this one
> <
https://github.com/keycloak/keycloak/pull/6318>. Would that be
> acceptable?
>
> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> That'd work. As it's not documented we can probably instead just log a
>> warning to the console?
>>
>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops(a)gmail.com> wrote:
>>
>>> We recently also deprecated non-native promises with the intent to
>>> remove this behavior in the future. Would it not then make sense to
>>> deprecate this behavior now and remove it eventually? Especially
>>> considering this behavior is not very secure and just adds extra cruft to
>>> the adapter code.
>>>
>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger(a)redhat.com>
>>> wrote:
>>>
>>>> It might be there from the early days when we didn't have public
>>>> clients.
>>>> I'd probably just keep it in case someone is using it with a
>>>> confidential
>>>> client as removing it would break it for them. Although strictly
>>>> speaking
>>>> you shouldn't use a confidential client with a client-side app.
>>>>
>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas(a)redhat.com>
wrote:
>>>>
>>>> > Hello,
>>>> >
>>>> > in Javascript adapter we have a possibility to configure a client
>>>> secret
>>>> > [1] in order to use Basic authorization for requests for token
>>>> endpoint
>>>> > [2]. I haven't found any information in docs about it and I
don't
>>>> > understand why we have it there as public clients don't have
>>>> secrets. Is
>>>> > this useful in some scenarios or we should remove it?
>>>> >
>>>> > Michal
>>>> >
>>>> > [1]
>>>> >
>>>> >
>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>> > &
>>>> > <
>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>> >
>>>> >
>>>> >
>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>> >
>>>> > [2]
>>>> >
>>>> >
>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>> > &
>>>> > <
>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>> >
>>>> >
>>>> >
>>>>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/mai...
>>>> > _______________________________________________
>>>> > keycloak-dev mailing list
>>>> > keycloak-dev(a)lists.jboss.org
>>>> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> >
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>