[keycloak-dev] Credentials in javascript adapter

Michal Hajas mhajas at redhat.com
Thu Nov 7 08:08:32 EST 2019


To me it looks like it is quite a security issue to use confidential
clients with javascript adapter. Isn't it kind of ok to break it for those
which are using it in that case?

Michal

On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops at gmail.com> wrote:

> Sure, how about I whip a PR much like this one
> <https://github.com/keycloak/keycloak/pull/6318>. Would that be
> acceptable?
>
> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> That'd work. As it's not documented we can probably instead just log a
>> warning to the console?
>>
>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops at gmail.com> wrote:
>>
>>> We recently also deprecated non-native promises with the intent to
>>> remove this behavior in the future. Would it not then make sense to
>>> deprecate this behavior now and remove it eventually? Especially
>>> considering this behavior is not very secure and just adds extra cruft to
>>> the adapter code.
>>>
>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> It might be there from the early days when we didn't have public
>>>> clients.
>>>> I'd probably just keep it in case someone is using it with a
>>>> confidential
>>>> client as removing it would break it for them. Although strictly
>>>> speaking
>>>> you shouldn't use a confidential client with a client-side app.
>>>>
>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas at redhat.com> wrote:
>>>>
>>>> > Hello,
>>>> >
>>>> > in Javascript adapter we have a possibility to configure a client
>>>> secret
>>>> > [1] in order to use Basic authorization for requests for token
>>>> endpoint
>>>> > [2]. I haven't found any information in docs about it and I don't
>>>> > understand why we have it there as public clients don't have secrets.
>>>> Is
>>>> > this useful in some scenarios or we should remove it?
>>>> >
>>>> > Michal
>>>> >
>>>> > [1]
>>>> >
>>>> >
>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882
>>>> > &
>>>> > <
>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882&
>>>> >
>>>> >
>>>> >
>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L866
>>>> >
>>>> > [2]
>>>> >
>>>> >
>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617
>>>> > &
>>>> > <
>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617&
>>>> >
>>>> >
>>>> >
>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L732
>>>> > _______________________________________________
>>>> > keycloak-dev mailing list
>>>> > keycloak-dev at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> >
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>


More information about the keycloak-dev mailing list