[keycloak-dev] Keycloak.js is inefficient and can be improved
Bill Burke
bburke at redhat.com
Mon Feb 23 10:24:04 EST 2015
On 2/23/2015 9:38 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Monday, February 23, 2015 3:34:12 PM
>> Subject: Re: [keycloak-dev] Keycloak.js is inefficient and can be improved
>>
>> Verifying the token would be a must for implicit flow, IMO. Not so much
>> for access code flow though.
>
> Should we add support for implicit flow?
>
No, as it looks like implicit flow can leak access tokens into the
browser history which could lead to accidental bookmarks or rogue
scripts looking at browser history. Code is protected as the code can
only be used once, so if it leaks there's not much you can do about it.
Especially if you enforce CORS origin validation (which I don't think
we do right now).
>>
>> For access code flow it is not really possible to fool the javascript
>> provider because of the "state" parameter, and obtaining an access token
>> happens out of band.
>
> We support passing tokens to keycloak.js to initialize it, but not sure if that could be exploited
>
Not sure what that feature is or if it should even be supported. Sounds
close to what the implicit flow is.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list