Hi,

 

I am experimenting with Keycloak to evaluate its suitability for our application. Here is one of my experiments, that got me warried:

 

I created a simple page (see attached), deployed it on Tomcat and registered it in Keycloak as confidential client. As you can see the page contains a button clicking on which executes simple XHR request. Notice that XHR request doesn’t contain Authorization header. On submission of my page URL I am redirected to Keycloak for authentication. After authentication I can submit XHR requests at will.

 

Now I copied my page and deployed the copy on the same Tomcat as a different totally unsecured application. If I open this page in another browser tab and click on XHR button it will go through without any problem. It looks to me as a typical CSRF case. Am I missing something here?

 

Thanks.

Ilia