Replies: 2 comments
-
|
This would not be a secure approach as Keycloak should be using a confidential client, and it should control the nonce/state/etc parameters, which shouldn't be delegated to client side. Allowing the client side to control this would make it possible for an attacker to authenticate as a user with Keycloak if they where able to obtain the ID token etc for another user. |
Beta Was this translation helpful? Give feedback.
-
|
@stianst The nonce and state could still be controlled by the server side. The server would still be the one to construct the |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I have a scenario where I would like to add a new IdP that is not accessible to the internet, but Keycloak is running outside that network and accessible via the internet. In this configuration, my browser can reach both Keycloak and the IdP, but Keycloak itself can not reach the IdP.
The way this would work is that on the callback from the OIDC authorization, the call to the token endpoint would happen via XHR on the website and then passed to the backend to be validated.
My thought is that this should still be possible to do securely as long as:
Beta Was this translation helpful? Give feedback.
All reactions