[keycloak-dev] CORS and Keycloak
Bill Burke
bburke at redhat.com
Tue Oct 8 12:21:38 EDT 2013
Based on our Hangout conversation, I'm trying to figure out what we need
to do for CORS.
First, we absolutely need to allow CORS requests to Keycloak hosted
resources: specifically the token service and the admin REST api.
The question is, do we manage CORS for applications? How does this
information get transmitted? What support do we need to add? Here's my
take:
* Keycloak application adapters (i.e. the Tomcat Valve, or the Undertow
Handler) can be set up to handle CORS requests.
* Allowed origins can be specified within the adapter's config file.
Additionally we could:
* Store allowed origins per application within the Keycloak realm database
* Have a Keycloak REST API to obtain allowed origins for an application
* Optionally store allowed origins in the signed access token.
The Keycloak application adapter then has 3 options to authorize a CORS
invocation:
1) Its config file
2) a REST call to the Keycloak sever
3) From the access token.
#3 could get quite problematic as the access token could get quite large.
#3 does fit in nicely with Keycloak's concept of a Scope though.
Do I understand everything correctly as it pertains to CORS? DId I
cover everything? Does what I'm saying make sense?
CORS could be another nice core feature we support. So our main
marketing would say Keycloak is a
a) A social broker
b) SSO/SLO
c) OAuth
d) CORS
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list