[keycloak-dev] CORS
Bill Burke
bburke at redhat.com
Fri Jul 19 13:40:15 EDT 2013
On 7/19/2013 9:59 AM, Stian Thorgersen wrote:
>
> The authorized javascript origin is used to specify what domains are allowed to do CORS request. This is required by the JavaScript SDK so that it can invoke REST endpoints when deployed to a different domain than the IdentityBroker server.
>
Does Keycloak need CORS? OAuth2 is a redirect protocol.
1. user visits app
2. App redirects to keycloak login screen, sets a session cookie for
security purposes
3. Userlogins into Keycloak
4. Keycloak sets a cookie and generates an access code
5. Keycloak redirects browser back to app
5.1 App checks to make sure it actually made an access code request by
lookat at the session cookie in step 1.
6. App extracts access code from redirect URL
7. App makes an under-the-covers invocation to change the short-lived
access code to a token
8. App extracts identity and role-mapping information from token.
9. User visits a different site
10. Site redirects to keycloak login screen
11. Login screen sees that the user is already logged in (via cookie)
12. Keycloak generates an access code and redirects to 2nd app
13. App extracts access code from redirect URL
.....
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list