[keycloak-dev] usability vs. security

Bill Burke bburke at redhat.com
Mon Oct 7 10:14:20 EDT 2013

I'd like to have it that when an application is created in the admin 
console, the admin can view the exact configuration files needed to 
install in their application to enable security.

Unfortunately, this would involve populating application credentials in 
the config file which would require exposing the application credentials 
through a REST interface albeit secure REST interface.

Do you think it is such a big security hole to allow for this?  I've 
been trying to keep the mantra to not expose credentials anywhere if 
possible, yet this is a very nice security usability feature.  We could 
even have it that an application password, totp, and/or cert is auto 

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list