[keycloak-dev] application configuration idea

[Stian Thorgersen]

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 20 September, 2013 3:48:05 PM
> Subject: Re: [keycloak-dev] application configuration idea
> 
> 
> 
> On 9/20/2013 10:29 AM, Stian Thorgersen wrote:
> > Can you not just remove the password from the config file completely - and
> > pass the password directly using the system property?
> >
> 
> Config might also include:
> 
> * TOTP Key
> * Key pair and cert for two-way SSL.

Forgot that - with that in mind then encryption + password is a good approach - would be good if it could be enabled/disabled for a realm though

> 
> 
> > Another related thing, this only works for server-side
> > applications/services - for client-side applications the application
> > credentials aren't available (if they are an attacker can access them by
> > simply downloading the application). To my understanding this means we
> > need to support the implicit flow for client-side applications?
> >
> 
> Depends how the mobile native app wants to do authentication.
> Application credentials help prevent spoofing attacks.  i.e. making the
> user think they are logging into Bank of America or something when
> you're really logging into the attacker's site.  Auth server requires
> client to authenticate before turning a access code into an access
> token.  Mobile is different because the relationship between user and
> application is 1 to 1.  I'm not sure what to do for native mobile apps.

I guess if application doesn't have access to anything that's not public it's there's no security implications of the key/secrets to it being leaked. So with that in mind you could still use the full flow for both html5 and mobile (and any other client-side stuff, consoles, desktop apps, etc..)

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>