[keycloak-dev] Credentials in javascript adapter
Stian Thorgersen
sthorger at redhat.com
Thu Nov 7 08:10:00 EST 2019
I'm a bit on the fence. We could just break it and document it in update +
release notes to give folks a heads up.
On Thu, 7 Nov 2019 at 14:08, Michal Hajas <mhajas at redhat.com> wrote:
> To me it looks like it is quite a security issue to use confidential
> clients with javascript adapter. Isn't it kind of ok to break it for those
> which are using it in that case?
>
> Michal
>
> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops at gmail.com> wrote:
>
>> Sure, how about I whip a PR much like this one
>> <https://github.com/keycloak/keycloak/pull/6318>. Would that be
>> acceptable?
>>
>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> That'd work. As it's not documented we can probably instead just log a
>>> warning to the console?
>>>
>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops at gmail.com> wrote:
>>>
>>>> We recently also deprecated non-native promises with the intent to
>>>> remove this behavior in the future. Would it not then make sense to
>>>> deprecate this behavior now and remove it eventually? Especially
>>>> considering this behavior is not very secure and just adds extra cruft to
>>>> the adapter code.
>>>>
>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> It might be there from the early days when we didn't have public
>>>>> clients.
>>>>> I'd probably just keep it in case someone is using it with a
>>>>> confidential
>>>>> client as removing it would break it for them. Although strictly
>>>>> speaking
>>>>> you shouldn't use a confidential client with a client-side app.
>>>>>
>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas at redhat.com> wrote:
>>>>>
>>>>> > Hello,
>>>>> >
>>>>> > in Javascript adapter we have a possibility to configure a client
>>>>> secret
>>>>> > [1] in order to use Basic authorization for requests for token
>>>>> endpoint
>>>>> > [2]. I haven't found any information in docs about it and I don't
>>>>> > understand why we have it there as public clients don't have
>>>>> secrets. Is
>>>>> > this useful in some scenarios or we should remove it?
>>>>> >
>>>>> > Michal
>>>>> >
>>>>> > [1]
>>>>> >
>>>>> >
>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882
>>>>> > &
>>>>> > <
>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882&
>>>>> >
>>>>> >
>>>>> >
>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L866
>>>>> >
>>>>> > [2]
>>>>> >
>>>>> >
>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617
>>>>> > &
>>>>> > <
>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617&
>>>>> >
>>>>> >
>>>>> >
>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L732
>>>>> > _______________________________________________
>>>>> > keycloak-dev mailing list
>>>>> > keycloak-dev at lists.jboss.org
>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>> >
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
More information about the keycloak-dev
mailing list