[keycloak-user] keycloak js adapter - authorization code vs implicit flow
petr40@wp.pl
petr40 at wp.pl
Fri Sep 28 04:51:20 EDT 2018
Hello ! I dont understand why authorization code is default mode in keycloak.js adapter ? (for SPA javascript application) Should it be implicit flow instead ? Is it safe to use this flow for public clients ? I know that 'sending access token in the url fragment can be security vulnerability', but - authorizaiton code is also returned in query params - CORS needs to be enable on server side (to exchange code for token via POST) - we have an extra step - we can use refresh tokens, but we can also make this work in implicit flow (hidden iframe) If my arguments are wrong: why do we need implicit flow if it is authorization code ? how does it relate to openidconnect , oauth specification ? Thanks !
More information about the keycloak-user
mailing list