Re: [keycloak-dev] cors setup simplification?

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 20 May, 2014 3:19:56 PM Subject: Re: [keycloak-dev] cors setup simplification? On 5/20/2014 10:07 AM, Bill Burke wrote: > > > On 5/20/2014 9:33 AM, Stian Thorgersen wrote: >> I like the idea of not having to specify the web-origins, but I wonder if >> there are use-cases for having web-origins that can't be calculated from >> the redirect-uris. >> > > I just can't see a case for this. Let's just let users tell us we need > this control. Right now, the web origin is always set to the > protocol://hostname of the application or oauth client. > >> Also, the web-origins is used by Keycloak's own endpoints. In this case >> "Cross-Origin Tokens" doesn't make sense. >> > > You're talking about the Account Service correct? Well, I'm changing > that! :) How you implemented CORS support for the Account Service is > not how web-origins were intended to be used. > > Tokens are created for a specific client (app or oauth). The > web-origins for that issuedFor client are stuffed into the token created > specifically for that client. Basically, its saying this token is > allowed to come from this set of origins. > > What Web-Origins are not origin permissions for that application/client. > When you specify a web origin for the Account Service (or any other > application) in the admin console, this is not origins that are allowed > to call the account service! But instead, the origins allowed for token > requests made from tokens created for the Account Service. Am I making > sense? > Ugh, let me reword last paragraph: Web-origin setting is not a set of origin permissions for an applicatin/client. For example, the account service's web-origin setting is not the origins that are allowed to call the account service! Tokens are always created for a specific client (issuedFor). The client's web origin setting is just information that is stuffed into the token when it is created.

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev