[keycloak-dev] usability vs. security

Marek Posolda mposolda at redhat.com
Tue Oct 8 03:50:01 EDT 2013 

On 7.10.2013 16:14, Bill Burke wrote:
> I'd like to have it that when an application is created in the admin
> console, the admin can view the exact configuration files needed to
> install in their application to enable security.
>
> Unfortunately, this would involve populating application credentials in
> the config file which would require exposing the application credentials
> through a REST interface albeit secure REST interface.
Security is one thing and another important thing is that application 
credentials are actually saved in Picketlink DB (and I am doing 
similarly for Mongo impl) in the form of salted hash and it's not 
possible to restore original plain-text password from DB. Maybe we can 
fill all things into configuration file except the password/totp and 
this will be only thing which would need to be manually added into 
configuration file by user himself? So generated config files could 
possibly look like this:

{
   "realm" : "demo",
   "resource" : "customer-portal",
   "realm-public-key" : 
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
   "auth-url" : 
"http://localhost:8080/auth-server/rest/realms/demo/tokens/login",
   "code-url" : 
"http://localhost:8080/auth-server/rest/realms/demo/tokens/access/codes",
    "ssl-not-required" : true,
    "credentials" : {
       "password" : "<REPLACE WITH YOUR PASSWORD>"
    }
}

I think that auto-generation of credentials through the Admin UI would 
be also nice feature. After triggering auto-generation from admin UI, 
password could be saved into underlying storage and displayed to user in 
plain-text just once so that he can fill it into configuration file.

Marek
>
> Do you think it is such a big security hole to allow for this?  I've
> been trying to keep the mantra to not expose credentials anywhere if
> possible, yet this is a very nice security usability feature.  We could
> even have it that an application password, totp, and/or cert is auto
> generated.
>
> Thoughts?

More information about the keycloak-dev mailing list