I've posted some questions regarding this topic before but I thought I'd start a new thread to keep things focused:

I'm writing an AngularJS application with Java EE 6/7 REST (JAX-RS) backend modules. To add authentication and authorization to this application, I'd like to use keycloak

* as a user and role management front-end

* to provide a customizable login page (works very well by the way ;)

* as an OAuth 2.0 token provider

* to add user and role information to the HTTPRequests in my REST/ backend modules

To do this, I'm currently looking at keycloak.js and the customer-app-js example. However, I'm wondering whether this is really the best way to go. In a reply to an earlier post of mine you mentioned that the keycloak admin console is written in AngularJS and that you are using HTTP-only cookies there.

However, in keycloak.js and the customer-app-js example you are retrieving the token in the JS app and adding an authorization header with a bearer token to the HTTP requests.

So here are my questions: 

* Is there a reason you are using two different approaches in the admin console and the official demo app? 

* which one of the two approaches (bearer tokens vs. HTTP-only cookie) will you support/ will be the officially recommended one for HTML5/ client side JavaScript applications in keycloak?

* am I right in assuming that you haven't quite decided yet which approach to use and that you are still discussing this in the keycloak team?

Looking forwards to your reply!

Cheers,

Nils