Is the keycloak client adapter (javascript adapter) secure enough?

I have a check of the javascript adapter…(Securing Applications and Services Guide)

i see that the access token is available in client-side javascript (e.g. keycloak.token )

today, security team said that the sensitive access token shouldn’t be available to client side javascript…as if there is XSS, the token can be stolen and reused by hacker…

security team request to store the token in cookie with httpOnly and secure (likely we also need to add the SameSite=Lax/Strict)…so that, even there is XSS, hacker cannot steal the token (though hacker can still perform malicious action inside the hacked browser session)…

can you please comment? Do keycloak developer consider client application protection against XSS issue?

thank you.

1 Like