Hi Stian and Bill,
I've posted some questions regarding this topic before but I thought I'd
start a new thread to keep things focused:
I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) backend
modules. To add authentication and authorization to this application, I'd
like to use keycloak
* as a user and role management front-end
* to provide a customizable login page (works very well by the way ;)
* as an OAuth 2.0 token provider
* to add user and role information to the HTTPRequests in my REST/ backend
modules
To do this, I'm currently looking at keycloak.js and the customer-app-js
example. However, I'm wondering whether this is really the best way to go.
In a reply to an earlier post of mine you mentioned that the keycloak admin
console is written in AngularJS and that you are using HTTP-only cookies
there.
However, in keycloak.js and the customer-app-js example you are retrieving
the token in the JS app and adding an authorization header with a bearer
token to the HTTP requests.
So here are my questions:
* Is there a reason you are using two different approaches in the admin
console and the official demo app?
* which one of the two approaches (bearer tokens vs. HTTP-only cookie) will
you support/ will be the officially recommended one for HTML5/ client side
JavaScript applications in keycloak?
* am I right in assuming that you haven't quite decided yet which approach
to use and that you are still discussing this in the keycloak team?
Looking forwards to your reply!
Cheers,
Nils