We have a scenario in which the application does not have access to the
Keycloak server, but the user does. In this case, the user is on our our
internal corporate network along with the Keycloak server, while the
application lives in the public Internet. We can send the user from the
public application to Keycloak to login in, but the application cannot
communicate back with Keycloak to verify the token coming back when the
user returns. It is my understanding that "Implicit Flow" should allow for
this scenario:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc...
But I cannot figure out how to implement this with the Spring Boot adapter.
It seems to me that the adapter should have a way to decrypt and validate
the JWT token locally (making sure the short-lived access token has not
expired), then trust the token as implicitly granted and proceed to set a
session cookie with a different timeout configured in the Keycloak
administrator. Is this available in Keycloak somewhere that I just missing?
Or perhaps you have another suggestion for how to do this?
Note that I recognize implicit flow is inherently flawed because it passes
the access token to the user (vulnerable to man-in-the-middle type leaks).
Still, it's part of the OIDC spec, and it seems that security concerns can
be somewhat mitigated with a short expiration on the Access Token and a
configurable expiration of the resulting client session expiration via
Keycloak.
Suggestions?
Thanks,
Jonathan
--
Jonathan D'Andries
http://www.linkedin.com/in/jonathandandries/