On 5/20/2014 10:34 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 20 May, 2014 3:31:47 PM
> Subject: Re: [keycloak-dev] cors setup simplification?
>
>
>
> On 5/20/2014 10:19 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Tuesday, 20 May, 2014 3:07:52 PM
>>> Subject: Re: [keycloak-dev] cors setup simplification?
>>>
>>>
>>>
>>> On 5/20/2014 9:33 AM, Stian Thorgersen wrote:
>>>> I like the idea of not having to specify the web-origins, but I wonder
if
>>>> there are use-cases for having web-origins that can't be calculated
from
>>>> the redirect-uris.
>>>>
>>>
>>> I just can't see a case for this. Let's just let users tell us we
need
>>> this control. Right now, the web origin is always set to the
>>> protocol://hostname of the application or oauth client.
>>>
>>>> Also, the web-origins is used by Keycloak's own endpoints. In this
case
>>>> "Cross-Origin Tokens" doesn't make sense.
>>>>
>>>
>>> You're talking about the Account Service correct? Well, I'm
changing
>>> that! :) How you implemented CORS support for the Account Service is
>>> not how web-origins were intended to be used.
>>>
>>> Tokens are created for a specific client (app or oauth). The
>>> web-origins for that issuedFor client are stuffed into the token created
>>> specifically for that client. Basically, its saying this token is
>>> allowed to come from this set of origins.
>>>
>>> What Web-Origins are not origin permissions for that application/client.
>>> When you specify a web origin for the Account Service (or any other
>>> application) in the admin console, this is not origins that are allowed
>>> to call the account service! But instead, the origins allowed for token
>>> requests made from tokens created for the Account Service. Am I making
>>> sense?
>>
>> Yep, it makes more sense for the account service that way. I was thinking
>> about token service though, both code->token and refresh-token are called
>> from JS and need web-origins configured on them.
>>
>
> All the token service is doing is verifying that a code->token
> refresh-token request for that client is coming from the configured
> origin of that client.
>
> Ah, I think I have a better explanation. The Web-Origin setting for an
> application is just the Origin of the application. Nothing else.
The origin of the application making the request right?
Nothing to do with the request. It is just the origin of the application.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com