[keycloak-dev] Credentials in javascript adapter

Jon Koops jonkoops at gmail.com
Thu Nov 7 08:38:28 EST 2019


I've created an issue and a PR for the aforementioned:

- https://issues.jboss.org/browse/KEYCLOAK-11971
- https://github.com/keycloak/keycloak/pull/6454

On Thu, Nov 7, 2019 at 2:21 PM Jon Koops <jonkoops at gmail.com> wrote:

> Ok, I'll whip up a PR to make the change, I'll keep you posted here.
>
> On Thu, Nov 7, 2019 at 2:19 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> +1
>>
>> On Thu, 7 Nov 2019 at 14:13, Michal Hajas <mhajas at redhat.com> wrote:
>>
>>> +1
>>>
>>> On Thu, Nov 7, 2019 at 2:10 PM Jon Koops <jonkoops at gmail.com> wrote:
>>>
>>>> If you ask me this is undocumented behaviour, and it's not secure so
>>>> I'd just remove it.
>>>>
>>>> On Thu, Nov 7, 2019 at 2:08 PM Michal Hajas <mhajas at redhat.com> wrote:
>>>>
>>>>> To me it looks like it is quite a security issue to use confidential
>>>>> clients with javascript adapter. Isn't it kind of ok to break it for those
>>>>> which are using it in that case?
>>>>>
>>>>> Michal
>>>>>
>>>>> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops at gmail.com> wrote:
>>>>>
>>>>>> Sure, how about I whip a PR much like this one
>>>>>> <https://github.com/keycloak/keycloak/pull/6318>. Would that be
>>>>>> acceptable?
>>>>>>
>>>>>> On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> That'd work. As it's not documented we can probably instead just log
>>>>>>> a warning to the console?
>>>>>>>
>>>>>>> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops at gmail.com> wrote:
>>>>>>>
>>>>>>>> We recently also deprecated non-native promises with the intent to
>>>>>>>> remove this behavior in the future. Would it not then make sense to
>>>>>>>> deprecate this behavior now and remove it eventually? Especially
>>>>>>>> considering this behavior is not very secure and just adds extra cruft to
>>>>>>>> the adapter code.
>>>>>>>>
>>>>>>>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <
>>>>>>>> sthorger at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> It might be there from the early days when we didn't have public
>>>>>>>>> clients.
>>>>>>>>> I'd probably just keep it in case someone is using it with a
>>>>>>>>> confidential
>>>>>>>>> client as removing it would break it for them. Although strictly
>>>>>>>>> speaking
>>>>>>>>> you shouldn't use a confidential client with a client-side app.
>>>>>>>>>
>>>>>>>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas at redhat.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> > Hello,
>>>>>>>>> >
>>>>>>>>> > in Javascript adapter we have a possibility to configure a
>>>>>>>>> client secret
>>>>>>>>> > [1] in order to use Basic authorization for requests for token
>>>>>>>>> endpoint
>>>>>>>>> > [2]. I haven't found any information in docs about it and I don't
>>>>>>>>> > understand why we have it there as public clients don't have
>>>>>>>>> secrets. Is
>>>>>>>>> > this useful in some scenarios or we should remove it?
>>>>>>>>> >
>>>>>>>>> > Michal
>>>>>>>>> >
>>>>>>>>> > [1]
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882
>>>>>>>>> > &
>>>>>>>>> > <
>>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882&
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L866
>>>>>>>>> >
>>>>>>>>> > [2]
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617
>>>>>>>>> > &
>>>>>>>>> > <
>>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617&
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> >
>>>>>>>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L732
>>>>>>>>> > _______________________________________________
>>>>>>>>> > keycloak-dev mailing list
>>>>>>>>> > keycloak-dev at lists.jboss.org
>>>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>> >
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-dev mailing list
>>>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>>
>>>>>>>>


More information about the keycloak-dev mailing list