[keycloak-dev] Credentials in javascript adapter
Michal Hajas
mhajas at redhat.com
Thu Nov 7 08:12:47 EST 2019
+1
On Thu, Nov 7, 2019 at 2:10 PM Jon Koops <jonkoops at gmail.com> wrote:
> If you ask me this is undocumented behaviour, and it's not secure so I'd
> just remove it.
>
> On Thu, Nov 7, 2019 at 2:08 PM Michal Hajas <mhajas at redhat.com> wrote:
>
>> To me it looks like it is quite a security issue to use confidential
>> clients with javascript adapter. Isn't it kind of ok to break it for those
>> which are using it in that case?
>>
>> Michal
>>
>> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops at gmail.com> wrote:
>>
>>> Sure, how about I whip a PR much like this one
>>> <https://github.com/keycloak/keycloak/pull/6318>. Would that be
>>> acceptable?
>>>
>>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> That'd work. As it's not documented we can probably instead just log a
>>>> warning to the console?
>>>>
>>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops at gmail.com> wrote:
>>>>
>>>>> We recently also deprecated non-native promises with the intent to
>>>>> remove this behavior in the future. Would it not then make sense to
>>>>> deprecate this behavior now and remove it eventually? Especially
>>>>> considering this behavior is not very secure and just adds extra cruft to
>>>>> the adapter code.
>>>>>
>>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> It might be there from the early days when we didn't have public
>>>>>> clients.
>>>>>> I'd probably just keep it in case someone is using it with a
>>>>>> confidential
>>>>>> client as removing it would break it for them. Although strictly
>>>>>> speaking
>>>>>> you shouldn't use a confidential client with a client-side app.
>>>>>>
>>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas at redhat.com> wrote:
>>>>>>
>>>>>> > Hello,
>>>>>> >
>>>>>> > in Javascript adapter we have a possibility to configure a client
>>>>>> secret
>>>>>> > [1] in order to use Basic authorization for requests for token
>>>>>> endpoint
>>>>>> > [2]. I haven't found any information in docs about it and I don't
>>>>>> > understand why we have it there as public clients don't have
>>>>>> secrets. Is
>>>>>> > this useful in some scenarios or we should remove it?
>>>>>> >
>>>>>> > Michal
>>>>>> >
>>>>>> > [1]
>>>>>> >
>>>>>> >
>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882
>>>>>> > &
>>>>>> > <
>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882&
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L866
>>>>>> >
>>>>>> > [2]
>>>>>> >
>>>>>> >
>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617
>>>>>> > &
>>>>>> > <
>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617&
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L732
>>>>>> > _______________________________________________
>>>>>> > keycloak-dev mailing list
>>>>>> > keycloak-dev at lists.jboss.org
>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>> >
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>
More information about the keycloak-dev
mailing list