I read here: http://lists.jboss.org/pipermail/keycloak-user/2014-December/001389.html that (if I understood correctly) at the time the javascript adapter didn't support returning the token in a cookie rather than in the response body. Is that still the case? I'm writing a SPA and I'm faced with the problem of where to store the token. Most tutorials just put it in local storage, or in a variable in memory, but I read around that it's very susceptible to XSS attacks, while using a secure, httponly cookie is much safer. What would you recommend? Thanks M.