[keycloak-dev] Credentials in javascript adapter

Thu Nov 7 08:21:29 EST 2019

Ok, I'll whip up a PR to make the change, I'll keep you posted here.

On Thu, Nov 7, 2019 at 2:19 PM Stian Thorgersen <sthorger at redhat.com> wrote:

> +1
>
> On Thu, 7 Nov 2019 at 14:13, Michal Hajas <mhajas at redhat.com> wrote:
>
>> +1
>>
>> On Thu, Nov 7, 2019 at 2:10 PM Jon Koops <jonkoops at gmail.com> wrote:
>>
>>> If you ask me this is undocumented behaviour, and it's not secure so I'd
>>> just remove it.
>>>
>>> On Thu, Nov 7, 2019 at 2:08 PM Michal Hajas <mhajas at redhat.com> wrote:
>>>
>>>> To me it looks like it is quite a security issue to use confidential
>>>> clients with javascript adapter. Isn't it kind of ok to break it for those
>>>> which are using it in that case?
>>>>
>>>> Michal
>>>>
>>>> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops at gmail.com> wrote:
>>>>
>>>>> Sure, how about I whip a PR much like this one
>>>>> <https://github.com/keycloak/keycloak/pull/6318>. Would that be
>>>>> acceptable?
>>>>>
>>>>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> That'd work. As it's not documented we can probably instead just log
>>>>>> a warning to the console?
>>>>>>
>>>>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops at gmail.com> wrote:
>>>>>>
>>>>>>> We recently also deprecated non-native promises with the intent to
>>>>>>> remove this behavior in the future. Would it not then make sense to
>>>>>>> deprecate this behavior now and remove it eventually? Especially
>>>>>>> considering this behavior is not very secure and just adds extra cruft to
>>>>>>> the adapter code.
>>>>>>>
>>>>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> It might be there from the early days when we didn't have public
>>>>>>>> clients.
>>>>>>>> I'd probably just keep it in case someone is using it with a
>>>>>>>> confidential
>>>>>>>> client as removing it would break it for them. Although strictly
>>>>>>>> speaking
>>>>>>>> you shouldn't use a confidential client with a client-side app.
>>>>>>>>
>>>>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas at redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> > Hello,
>>>>>>>> >
>>>>>>>> > in Javascript adapter we have a possibility to configure a client
>>>>>>>> secret
>>>>>>>> > [1] in order to use Basic authorization for requests for token
>>>>>>>> endpoint
>>>>>>>> > [2]. I haven't found any information in docs about it and I don't
>>>>>>>> > understand why we have it there as public clients don't have
>>>>>>>> secrets. Is
>>>>>>>> > this useful in some scenarios or we should remove it?
>>>>>>>> >
>>>>>>>> > Michal
>>>>>>>> >
>>>>>>>> > [1]
>>>>>>>> >
>>>>>>>> >
>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882
>>>>>>>> > &
>>>>>>>> > <
>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882&
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L866
>>>>>>>> >
>>>>>>>> > [2]
>>>>>>>> >
>>>>>>>> >
>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617
>>>>>>>> > &
>>>>>>>> > <
>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617&
>>>>>>>> >
>>>>>>>> >
>>>>>>>> >
>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L732
>>>>>>>> > _______________________________________________
>>>>>>>> > keycloak-dev mailing list
>>>>>>>> > keycloak-dev at lists.jboss.org
>>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>> >
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>
>>>>>>>