[keycloak-dev] Support for installed applications added (including example)
Bill Burke
bburke at redhat.com
Fri Mar 7 10:32:49 EST 2014
On 3/7/2014 9:13 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, 7 March, 2014 1:26:50 PM
>> Subject: Re: [keycloak-dev] Support for installed applications added (including example)
>>
>> Couuldn't a lot of the example be pulled into an adapter library and
>> reused?
>
> Yes, that would be good. I mainly wanted to tick the box that we support installed applications. With these redirect uris we can claim we support CLI, desktop apps, etc..
>
>> Also, is there any security hole you've introduced with being
>> able to cut/paste the access token from the browser? If there is a
>> public client, can a hacker now get an access token?
>
> Don't think so. It's just the code that's available not the token, and that's available from the query param in either case. It just displays it in the title and page instead.
>
Still sounds like a security hole for public clients. For public
clients we can "validate" that the access *code* is going to a valid
client because of HTTPS. If this "Cordova" support is on by default,
then the hacker can just send a redirect_uri of
"urn:ietf:wg:oauth:2.0:oob" or "http://localhost" and obtain the access
code. Is "CORDOVA" support on by default currently?
> BTW this is exactly what Google provides (https://developers.google.com/accounts/docs/OAuth2InstalledApp).
>
Google clients require a secret.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list