[keycloak-user] Load bearer-only app resource to iframe

Bill Burke bburke at redhat.com
Thu Jun 18 17:42:19 EDT 2015



On 6/18/2015 5:06 PM, Tair Sabirgaliev wrote:
>
>
> On 6/19/15 02:52, Bill Burke wrote:
>> Yeah, sorry, that was a stupid response to your question by me...I
>> wasn't thinking....
>>
>> Yeah, you're screwed. :)  There is no way around it. I guess the adapter
>> could set a cookie on bearer-only requests like it does for auth-code
>> requests and then authenticate via the cookie next time around, but then
>> you are vulnerable to CSRF attacks.
>
> Got this one:
> https://developer.mozilla.org/en-US/docs/Using_files_from_web_applications#Example.3A_Using_object_URLs_to_display_PDF
>
> Didn't try yet, but looks promising.
>
> The idea is to load the resource with XHR and render it in iframe using
> Object URLs.
>

I guess I wasn't crazy then ;)

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list