[keycloak-dev] application configuration idea

Stian Thorgersen stian at redhat.com
Fri Sep 20 10:29:16 EDT 2013 

Can you not just remove the password from the config file completely - and pass the password directly using the system property?

Another related thing, this only works for server-side applications/services - for client-side applications the application credentials aren't available (if they are an attacker can access them by simply downloading the application). To my understanding this means we need to support the implicit flow for client-side applications?

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 20 September, 2013 3:19:13 PM
> Subject: [keycloak-dev] application configuration idea
> 
> This is what an application configuration file looks like:
> 
> {
>    "realm" : "demo",
>    "resource" : "product-portal",
>    "realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC",
>    "auth-url" :
> "http://localhost:8080/auth-server/rest/realms/demo/tokens/login",
>    "code-url" :
> "http://localhost:8080/auth-server/rest/realms/demo/tokens/access/codes",
>     "ssl-not-required" : true,
>     "credentials" : {
>        "password" : "password"
>     }
> }
> 
> Notice that the credentials are in clear text.  Admins will dislike this
> tremendously.  What I propose is that you must obtain the application
> configuration file from the admin console. The configuration file would
> be encrypted using a hash of a password specific to the application.
> THe config file would then look something like this:
> 
> {
>     "realm" : "demo",
>     "encryptedConfig" : "MIGMA0GCSqGS..."
> }
> 
> Then, your server instance must be booted up via a system property or
> environment variable, i.e.:
> 
> standalone.sh -Dkeycloak.myrealm.password=geheim
> 
> The keycloak plugin would then decrypt the application config file based
> on this password.
> 
> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list