[keycloak-dev] Credentials in javascript adapter
Stian Thorgersen
sthorger at redhat.com
Thu Nov 7 08:19:06 EST 2019
+1
On Thu, 7 Nov 2019 at 14:13, Michal Hajas <mhajas at redhat.com> wrote:
> +1
>
> On Thu, Nov 7, 2019 at 2:10 PM Jon Koops <jonkoops at gmail.com> wrote:
>
>> If you ask me this is undocumented behaviour, and it's not secure so I'd
>> just remove it.
>>
>> On Thu, Nov 7, 2019 at 2:08 PM Michal Hajas <mhajas at redhat.com> wrote:
>>
>>> To me it looks like it is quite a security issue to use confidential
>>> clients with javascript adapter. Isn't it kind of ok to break it for those
>>> which are using it in that case?
>>>
>>> Michal
>>>
>>> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops at gmail.com> wrote:
>>>
>>>> Sure, how about I whip a PR much like this one
>>>> <https://github.com/keycloak/keycloak/pull/6318>. Would that be
>>>> acceptable?
>>>>
>>>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> That'd work. As it's not documented we can probably instead just log a
>>>>> warning to the console?
>>>>>
>>>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops at gmail.com> wrote:
>>>>>
>>>>>> We recently also deprecated non-native promises with the intent to
>>>>>> remove this behavior in the future. Would it not then make sense to
>>>>>> deprecate this behavior now and remove it eventually? Especially
>>>>>> considering this behavior is not very secure and just adds extra cruft to
>>>>>> the adapter code.
>>>>>>
>>>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> It might be there from the early days when we didn't have public
>>>>>>> clients.
>>>>>>> I'd probably just keep it in case someone is using it with a
>>>>>>> confidential
>>>>>>> client as removing it would break it for them. Although strictly
>>>>>>> speaking
>>>>>>> you shouldn't use a confidential client with a client-side app.
>>>>>>>
>>>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas at redhat.com> wrote:
>>>>>>>
>>>>>>> > Hello,
>>>>>>> >
>>>>>>> > in Javascript adapter we have a possibility to configure a client
>>>>>>> secret
>>>>>>> > [1] in order to use Basic authorization for requests for token
>>>>>>> endpoint
>>>>>>> > [2]. I haven't found any information in docs about it and I don't
>>>>>>> > understand why we have it there as public clients don't have
>>>>>>> secrets. Is
>>>>>>> > this useful in some scenarios or we should remove it?
>>>>>>> >
>>>>>>> > Michal
>>>>>>> >
>>>>>>> > [1]
>>>>>>> >
>>>>>>> >
>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882
>>>>>>> > &
>>>>>>> > <
>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882&
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L866
>>>>>>> >
>>>>>>> > [2]
>>>>>>> >
>>>>>>> >
>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617
>>>>>>> > &
>>>>>>> > <
>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617&
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L732
>>>>>>> > _______________________________________________
>>>>>>> > keycloak-dev mailing list
>>>>>>> > keycloak-dev at lists.jboss.org
>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>> >
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>>>>>
More information about the keycloak-dev
mailing list