7:22 p.m.
Hi All,
We're looking to start rolling the Keycloak OIDC flow out to some
client-side Javascript applications, and I came across a question in coming
up to speed on OIDC. You state in your docs
<https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
that the Javascript adapter is intended for client-side use:
Keycloak comes with a client-side JavaScript library that can be used to
secure HTML5/JavaScript applications.
The docs also state that the default flow for this adapter is the
Authorization Code flow:
By default, the JavaScript adapter uses the Authorization Code
However, the OIDC spec
<http://openid.net/specs/openid-connect-core-1_0.html> says (section 3.1):
...The Authorization Code flow is suitable for Clients that can securely
maintain a Client Secret between themselves and the Authorization
Server.
And again echoes the sentiment using the non-requisite MAY language in
section 15.4:
In general, it is up to Relying Parties which features they use when
interacting with OpenID Providers. However, some choices are dictated
by
the nature of their OAuth Client, such as whether it is a Confidential
Client, capable of keeping secrets, in which case the Authorization Code
Flow may be appropriate, or whether it is a Public Client, for instance, a
User Agent Based Application or a statically registered Native Application,
in which case the Implicit Flow may be appropriate.
I'm aware that public clients who do not present a client secret are
allowed under the OAuth spec <https://tools.ietf.org/html/rfc6749>;, and
that these are often the type of javascript client that Keycloak sets up
with the authorization code flow. What's more, I understand that the
client secret is most commonly the reason cited for the client/server
distinction with respect to flows.
However, I was curious as to why the authorization code flow remains the
default setting for Javascript applications. Isn't the refresh token also
considered a form of a 'secret' since it's a long-lived mechanism whereby
additional access/identity tokens can be retrieved? Why would the default
setting *not* be implicit here? Could you help me understand why the
authorization code flow was chosen as the default?
Thanks in advance!
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
8:37 a.m.
With Implicit flow it's usual to have a long expiration on access tokens as
there is no refresh token. Once the access token is expired you're left
with having to do the whole OAuth redirect dance again to obtain a new
token. What's even worse is that if you have long lived access tokens
there's potentially a longer time between the verification of
the access token directly with Keycloak, which means that an access token
could potentially be used long after the session has been removed.
With that in mind having short lived access tokens with a refresh token is
better in our opinion even for public clients.
On 12 July 2016 at 19:22, Josh Cain <josh.cain(a)redhat.com> wrote:
Hi All,
We're looking to start rolling the Keycloak OIDC flow out to some
client-side Javascript applications, and I came across a question in coming
up to speed on OIDC. You state in your docs
<https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
that the Javascript adapter is intended for client-side use:
Keycloak comes with a client-side JavaScript library that can be used to
> secure HTML5/JavaScript applications.
>
The docs also state that the default flow for this adapter is the
Authorization Code flow:
By default, the JavaScript adapter uses the Authorization Code
> <http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth> flow.
>
However, the OIDC spec
<http://openid.net/specs/openid-connect-core-1_0.html> says (section 3.1):
...The Authorization Code flow is suitable for Clients that can securely
> maintain a Client Secret between themselves and the Authorization Server.
>
And again echoes the sentiment using the non-requisite MAY language in
section 15.4:
In general, it is up to Relying Parties which features they use when
> interacting with OpenID Providers. However, some choices are dictated by
> the nature of their OAuth Client, such as whether it is a Confidential
> Client, capable of keeping secrets, in which case the Authorization Code
> Flow may be appropriate, or whether it is a Public Client, for instance, a
> User Agent Based Application or a statically registered Native Application,
> in which case the Implicit Flow may be appropriate.
>
I'm aware that public clients who do not present a client secret are
allowed under the OAuth spec <https://tools.ietf.org/html/rfc6749>;, and
that these are often the type of javascript client that Keycloak sets up
with the authorization code flow. What's more, I understand that the
client secret is most commonly the reason cited for the client/server
distinction with respect to flows.
However, I was curious as to why the authorization code flow remains the
default setting for Javascript applications. Isn't the refresh token also
considered a form of a 'secret' since it's a long-lived mechanism whereby
additional access/identity tokens can be retrieved? Why would the default
setting *not* be implicit here? Could you help me understand why the
authorization code flow was chosen as the default?
Thanks in advance!
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:19 p.m.
Thanks for the quick response Stian! Still getting my feet wet with OIDC,
so please bear with me as I try to reconcile what I'm reading @ the spec
with the Keycloak implementation. A few questions on your response:
You say that it's 'usual' for these access tokens to have a long lifespan
with implicit flow. How does that interact with the general guideline in
section 16.18 of the spec when it says:
Access Tokens might not be revocable by the Authorization Server. Access
Token lifetimes SHOULD therefore be kept to single use or very short
lifetimes.
I would agree that a long-lived refresh token is indeed much preferred to
doing something like extending the lifetime of an access token. However,
is 'the OAuth redirect dance' the only alternative? I know that Keycloak's
identity/session cookies will have been issued at this point - would it be
possible to use something like an iFrame to refresh a short-lived access
token?
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
On Wed, Jul 13, 2016 at 1:37 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
With Implicit flow it's usual to have a long expiration on access
tokens
as there is no refresh token. Once the access token is expired you're left
with having to do the whole OAuth redirect dance again to obtain a new
token. What's even worse is that if you have long lived access tokens
there's potentially a longer time between the verification of
the access token directly with Keycloak, which means that an access token
could potentially be used long after the session has been removed.
With that in mind having short lived access tokens with a refresh token is
better in our opinion even for public clients.
On 12 July 2016 at 19:22, Josh Cain <josh.cain(a)redhat.com> wrote:
> Hi All,
>
> We're looking to start rolling the Keycloak OIDC flow out to some
> client-side Javascript applications, and I came across a question in coming
> up to speed on OIDC. You state in your docs
>
<https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
> that the Javascript adapter is intended for client-side use:
>
> Keycloak comes with a client-side JavaScript library that can be used to
>> secure HTML5/JavaScript applications.
>>
>
> The docs also state that the default flow for this adapter is the
> Authorization Code flow:
>
> By default, the JavaScript adapter uses the Authorization Code
>> <http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth>
>> flow.
>>
>
> However, the OIDC spec
> <http://openid.net/specs/openid-connect-core-1_0.html> says (section
> 3.1):
>
> ...The Authorization Code flow is suitable for Clients that can securely
>> maintain a Client Secret between themselves and the Authorization Server.
>>
>
> And again echoes the sentiment using the non-requisite MAY language in
> section 15.4:
>
> In general, it is up to Relying Parties which features they use when
>> interacting with OpenID Providers. However, some choices are dictated by
>> the nature of their OAuth Client, such as whether it is a Confidential
>> Client, capable of keeping secrets, in which case the Authorization Code
>> Flow may be appropriate, or whether it is a Public Client, for instance, a
>> User Agent Based Application or a statically registered Native Application,
>> in which case the Implicit Flow may be appropriate.
>>
>
> I'm aware that public clients who do not present a client secret are
> allowed under the OAuth spec <https://tools.ietf.org/html/rfc6749>;, and
> that these are often the type of javascript client that Keycloak sets up
> with the authorization code flow. What's more, I understand that the
> client secret is most commonly the reason cited for the client/server
> distinction with respect to flows.
>
> However, I was curious as to why the authorization code flow remains the
> default setting for Javascript applications. Isn't the refresh token also
> considered a form of a 'secret' since it's a long-lived mechanism
whereby
> additional access/identity tokens can be retrieved? Why would the default
> setting *not* be implicit here? Could you help me understand why the
> authorization code flow was chosen as the default?
>
> Thanks in advance!
>
> Josh Cain | Software Applications Engineer
> *Identity and Access Management*
> *Red Hat*
> +1 843-737-1735
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
9:16 a.m.
Using authorization code flow with public clients in Keycloak:
* Allows short expiration on access tokens
* Our JavaScript adapter doesn't store the refresh token and it's only kept
in memory for the specific tab
* Refresh tokens are tied to a session which have idle timeout
Access token is set to expire in 5 min by default, but a lot of damage can
still be done in 5 min so it needs to be kept secure. Refresh token is
obviously worse as it, but by default the user session will expire if idle
for 30 min so all refresh tokens will be invalid shortly after the user
leaves the browser.
Google for instance issues an access token with 60 minutes expiration this
is far worse than what we do in Keycloak as the token can't be revoked.
Applications are not required to check with Google if the token is still
valid, so there's a window of 60 minutes where it would be rather hard to
block miss-use. It's actually common for social networks at least to issue
fairly long expiration times (an hour or so) when using the implicit flow.
You could in theory use an embedded iframe to obtain a new access token
once it's expired, but this is relatively tricky to get right as there's
quite a lot of potentially vulnerabilities which is why we by default block
all use of iframes. Any malicious injected code that manages to get the
refresh token from the tab window would also be able to use the embedded
iframe to obtain a new access token.
There is a spec that allows authenticating public clients. I couldn't find
it right now, but probably something worth considering to add.
On 18 July 2016 at 19:19, Josh Cain <josh.cain(a)redhat.com> wrote:
Thanks for the quick response Stian! Still getting my feet wet with
OIDC,
so please bear with me as I try to reconcile what I'm reading @ the spec
with the Keycloak implementation. A few questions on your response:
You say that it's 'usual' for these access tokens to have a long lifespan
with implicit flow. How does that interact with the general guideline in
section 16.18 of the spec when it says:
Access Tokens might not be revocable by the Authorization Server. Access
> Token lifetimes SHOULD therefore be kept to single use or very short
> lifetimes.
I would agree that a long-lived refresh token is indeed much preferred to
doing something like extending the lifetime of an access token. However,
is 'the OAuth redirect dance' the only alternative? I know that Keycloak's
identity/session cookies will have been issued at this point - would it be
possible to use something like an iFrame to refresh a short-lived access
token?
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
On Wed, Jul 13, 2016 at 1:37 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> With Implicit flow it's usual to have a long expiration on access tokens
> as there is no refresh token. Once the access token is expired you're left
> with having to do the whole OAuth redirect dance again to obtain a new
> token. What's even worse is that if you have long lived access tokens
> there's potentially a longer time between the verification of
> the access token directly with Keycloak, which means that an access token
> could potentially be used long after the session has been removed.
>
> With that in mind having short lived access tokens with a refresh token
> is better in our opinion even for public clients.
>
> On 12 July 2016 at 19:22, Josh Cain <josh.cain(a)redhat.com> wrote:
>
>> Hi All,
>>
>> We're looking to start rolling the Keycloak OIDC flow out to some
>> client-side Javascript applications, and I came across a question in coming
>> up to speed on OIDC. You state in your docs
>>
<https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...
>> that the Javascript adapter is intended for client-side use:
>>
>> Keycloak comes with a client-side JavaScript library that can be used to
>>> secure HTML5/JavaScript applications.
>>>
>>
>> The docs also state that the default flow for this adapter is the
>> Authorization Code flow:
>>
>> By default, the JavaScript adapter uses the Authorization Code
>>> <http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth>
>>> flow.
>>>
>>
>> However, the OIDC spec
>> <http://openid.net/specs/openid-connect-core-1_0.html> says (section
>> 3.1):
>>
>> ...The Authorization Code flow is suitable for Clients that can securely
>>> maintain a Client Secret between themselves and the Authorization Server.
>>>
>>
>> And again echoes the sentiment using the non-requisite MAY language in
>> section 15.4:
>>
>> In general, it is up to Relying Parties which features they use when
>>> interacting with OpenID Providers. However, some choices are dictated by
>>> the nature of their OAuth Client, such as whether it is a Confidential
>>> Client, capable of keeping secrets, in which case the Authorization Code
>>> Flow may be appropriate, or whether it is a Public Client, for instance, a
>>> User Agent Based Application or a statically registered Native Application,
>>> in which case the Implicit Flow may be appropriate.
>>>
>>
>> I'm aware that public clients who do not present a client secret are
>> allowed under the OAuth spec <https://tools.ietf.org/html/rfc6749>;, and
>> that these are often the type of javascript client that Keycloak sets up
>> with the authorization code flow. What's more, I understand that the
>> client secret is most commonly the reason cited for the client/server
>> distinction with respect to flows.
>>
>> However, I was curious as to why the authorization code flow remains the
>> default setting for Javascript applications. Isn't the refresh token also
>> considered a form of a 'secret' since it's a long-lived mechanism
whereby
>> additional access/identity tokens can be retrieved? Why would the default
>> setting *not* be implicit here? Could you help me understand why the
>> authorization code flow was chosen as the default?
>>
>> Thanks in advance!
>>
>> Josh Cain | Software Applications Engineer
>> *Identity and Access Management*
>> *Red Hat*
>> +1 843-737-1735
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
2898
days inactive
2906
days old
3 comments
2 participants
participants (2)
-
Josh Cain -
Stian Thorgersen