[keycloak-dev] cors setup simplification?

Stian Thorgersen stian at redhat.com
Tue May 20 10:22:04 EDT 2014



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 20 May, 2014 3:19:56 PM
> Subject: Re: [keycloak-dev] cors setup simplification?
> 
> 
> 
> On 5/20/2014 10:07 AM, Bill Burke wrote:
> >
> >
> > On 5/20/2014 9:33 AM, Stian Thorgersen wrote:
> >> I like the idea of not having to specify the web-origins, but I wonder if
> >> there are use-cases for having web-origins that can't be calculated from
> >> the redirect-uris.
> >>
> >
> > I just can't see a case for this.  Let's just let users tell us we need
> > this control.  Right now, the web origin is always set to the
> > protocol://hostname of the application or oauth client.
> >
> >> Also, the web-origins is used by Keycloak's own endpoints. In this case
> >> "Cross-Origin Tokens" doesn't make sense.
> >>
> >
> > You're talking about the Account Service correct?  Well, I'm changing
> > that! :)  How you implemented CORS support for the Account Service is
> > not how web-origins were intended to be used.
> >
> > Tokens are created for a specific client (app or oauth).  The
> > web-origins for that issuedFor client are stuffed into the token created
> > specifically for that client.  Basically, its saying this token is
> > allowed to come from this set of origins.
> >
> > What Web-Origins are not origin permissions for that application/client.
> >    When you specify a web origin for the Account Service (or any other
> > application) in the admin console, this is not origins that are allowed
> > to call the account service!  But instead, the origins allowed for token
> > requests made from tokens created for the Account Service.  Am I making
> > sense?
> >
> 
> Ugh, let me reword last paragraph:
> 
> Web-origin setting is not a set of origin permissions for an
> applicatin/client.  For example, the account service's web-origin
> setting is not the origins that are allowed to call the account service!
>   Tokens are always created for a specific client (issuedFor).  The
> client's web origin setting is just information that is stuffed into the
> token when it is created.

The account service does use the clients web-origins atm, it just pulls it from the ClientModel instead of the token, or at least that was the intent ;)

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list