Re: [keycloak-dev] Cors origins in token
We could:
* Have a web-origin token that's stuffed in a custom header. We'd need
to think about any security implications surrounding that.
* Have the adapter query the auth-server at boot time to get a list of
allowed origins.
A web-origin token might be best then you can restrict a specific client
to only be able to invoke on a subset of origins.
On 11/21/2013 10:09 AM, Stian Thorgersen wrote:
Is it correct that the adapters only read allowed web origins from
the token? If so does that not mean that unless a user is authenticated CORS won't be
enabled? I don't think that'll work.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com