[keycloak-user] Confidential RESTful client
Bruce Shaw
battery4cid at gmail.com
Fri Feb 19 17:18:44 EST 2016
I have a AngularJs single page web-app that makes RESTful API calls to get
secured data from our server (Play Framework). I originally set it up to
be a public client using the keycloak.js adapter but I’m wondering if
there’s a more secure way.
Instead of having the redirect response (with the authorization code) come
back to the keycloak.js followed by the request to get the access token,
wouldn’t it be more secure to have the javascript post the returned
authorization code to our server or just set the redirect url to an
endpoint on our server to make the backchannel request (with client secret
and id) for the access token? Then we can redirect the user to the
appropriate location with the access token in the response?
I guess I’m trying to make my RESTful api a confidential client, any input
or direction would help.
thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160219/2e1b6c92/attachment.html
More information about the keycloak-user
mailing list