[keycloak-user] Confidential RESTful client

Stian Thorgersen sthorger at redhat.com
Wed Feb 24 13:53:12 EST 2016 

How would you transfer the token to your Angular app? In that case you also
need to transfer the refresh token, which is more important to keep safe.

I'd say that there's a fairly good chance that you'd end up doing something
less safe by doing something custom. Clever people have designed OpenID
Connect flows and the vulnerabilities are well understood and can be
mitigated.

If you are worried have a read up on OpenID Connect and also read the
vulnerabilities docs they have.

On 24 February 2016 at 15:52, Bruce Shaw <battery4cid at gmail.com> wrote:

> Thanks for the follow up. I understand how having my custom javascript
> post to our server doesn't buy us anything.  I'm more curious what you
> think about pointing the redirect_url to an api on our server that would
> take in the Authorization Code and make the backchannel call for the access
> token with the Client credentials.  Does that seem reasonable or does this
> seem like overkill?
>
> thanks
>
> On Tue, Feb 23, 2016 at 1:11 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> As long as you use HTTPS and make sure you set redirect uris correctly
>> it's secure. The authorization code has a short lifespan so there's very
>> low chance that someone could retrieve it from the browser history. Further
>> the redirect uris prevent other applications from sniffing it.
>>
>> I don't see how what you are proposing would be any more secure. You
>> still have to transfer the token to the HTML5 application. So you've used
>> moved the problem from the interaction between Keycloak to a custom
>> implementation on your end.
>>
>> On 19 February 2016 at 23:18, Bruce Shaw <battery4cid at gmail.com> wrote:
>>
>>> I have a AngularJs single page web-app that makes RESTful API calls to
>>> get secured data from our server (Play Framework).  I originally set it up
>>> to be a public client using the keycloak.js adapter but I’m wondering if
>>> there’s a more secure way.
>>>
>>> Instead of having the redirect response (with the authorization code)
>>> come back to the keycloak.js followed by the request to get the access
>>> token, wouldn’t it be more secure to have the javascript post the returned
>>> authorization code to our server or just set the redirect url to an
>>> endpoint on our server to make the backchannel request (with client secret
>>> and id) for the access token?  Then we can redirect the user to the
>>> appropriate location with the access token in the response?
>>>
>>> I guess I’m trying to make my RESTful api a confidential client, any
>>> input or direction would help.
>>>
>>> thanks.
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160224/57cddaeb/attachment-0001.html

More information about the keycloak-user mailing list