4:49 p.m.
If your server-side components are all REST-based, I suggest using
bearer token auth for them and obtaining the token via the keycloak.js
adapter. Again, k_query_bearer_token auth is vulnerable to CSRF right now.
On 1/7/2015 5:25 PM, Hubert Przybysz wrote:
Thanks for the heads-up. I'll take a closer look at the
javascript adapter.
FYI, I've found the k_query_bearer_token request quite useful for a web
app that uses a mix of server-side and javascript components.
On Wed, Jan 7, 2015 at 4:00 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
You probably should not be using the k_query_bearer_token request.
I'm thinking of removing it because it is vulnerable to CSRF
attacks. Instead use keycloak.js for javascript apps.
On 1/7/2015 9:29 AM, Hubert Przybysz wrote:
The token is indeed updated automatically when it is requested.
I was
rather wondering if there was a way to not have to request it
prior to
each AJAX request. Currently, since the application does not
know when
the token expires, it has to either get it prior to each AJAX
request,
or try to use a possibly stale token and request it again when
it gets a
401 from the REST service. It would be nice to get information about
token expiry together with the token in response to
k_query_bearer_token
request.
On Wed, Jan 7, 2015 at 3:11 PM, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>
<mailto:bburke@redhat.com <mailto:bburke@redhat.com>>> wrote:
IIRC, if you're using the correct APIs (in Javascript or on
the server
side), the token will be automatically updated for you when you
request it.
On 1/7/2015 4:06 AM, Hubert Przybysz wrote:
> Hi,
>
> My jee web application uses its bearer token when
issuing AJAX
requests
> to other REST services within the realm (but at different
origins). It
> does it by reading the exposed bearer token prior to
making an AJAX
> request. Is there a mechanism by which the application
may find
out when
> the bearer token is refreshed, to make it possible to
read the bearer
> token only when needed ?
>
> Br / Hubert.
>
>
> _________________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
> https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_________________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.__jboss.org
<mailto:keycloak-user@lists.jboss.org>>
https://lists.jboss.org/__mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com