[keycloak-dev] Credentials in javascript adapter
Bruno Oliveira
bruno at abstractj.org
Thu Nov 7 08:40:24 EST 2019
+1 about just break and document that was removed
On Thu, Nov 7, 2019 at 10:08 AM Michal Hajas <mhajas at redhat.com> wrote:
>
> To me it looks like it is quite a security issue to use confidential
> clients with javascript adapter. Isn't it kind of ok to break it for those
> which are using it in that case?
>
> Michal
>
> On Thu, Nov 7, 2019 at 2:00 PM Jon Koops <jonkoops at gmail.com> wrote:
>
> > Sure, how about I whip a PR much like this one
> > <https://github.com/keycloak/keycloak/pull/6318>. Would that be
> > acceptable?
> >
> > On Thu, Nov 7, 2019 at 1:57 PM Stian Thorgersen <sthorger at redhat.com>
> > wrote:
> >
> >> That'd work. As it's not documented we can probably instead just log a
> >> warning to the console?
> >>
> >> On Thu, 7 Nov 2019 at 13:55, Jon Koops <jonkoops at gmail.com> wrote:
> >>
> >>> We recently also deprecated non-native promises with the intent to
> >>> remove this behavior in the future. Would it not then make sense to
> >>> deprecate this behavior now and remove it eventually? Especially
> >>> considering this behavior is not very secure and just adds extra cruft to
> >>> the adapter code.
> >>>
> >>> On Thu, Nov 7, 2019 at 1:51 PM Stian Thorgersen <sthorger at redhat.com>
> >>> wrote:
> >>>
> >>>> It might be there from the early days when we didn't have public
> >>>> clients.
> >>>> I'd probably just keep it in case someone is using it with a
> >>>> confidential
> >>>> client as removing it would break it for them. Although strictly
> >>>> speaking
> >>>> you shouldn't use a confidential client with a client-side app.
> >>>>
> >>>> On Thu, 7 Nov 2019 at 07:42, Michal Hajas <mhajas at redhat.com> wrote:
> >>>>
> >>>> > Hello,
> >>>> >
> >>>> > in Javascript adapter we have a possibility to configure a client
> >>>> secret
> >>>> > [1] in order to use Basic authorization for requests for token
> >>>> endpoint
> >>>> > [2]. I haven't found any information in docs about it and I don't
> >>>> > understand why we have it there as public clients don't have secrets.
> >>>> Is
> >>>> > this useful in some scenarios or we should remove it?
> >>>> >
> >>>> > Michal
> >>>> >
> >>>> > [1]
> >>>> >
> >>>> >
> >>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882
> >>>> > &
> >>>> > <
> >>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L882&
> >>>> >
> >>>> >
> >>>> >
> >>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L866
> >>>> >
> >>>> > [2]
> >>>> >
> >>>> >
> >>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617
> >>>> > &
> >>>> > <
> >>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L617&
> >>>> >
> >>>> >
> >>>> >
> >>>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L732
> >>>> > _______________________________________________
> >>>> > keycloak-dev mailing list
> >>>> > keycloak-dev at lists.jboss.org
> >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>> >
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>
> >>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
- abstractj
More information about the keycloak-dev
mailing list