[keycloak-dev] Support for installed applications added (including example)
Bill Burke
bburke at redhat.com
Fri Mar 7 12:18:23 EST 2014
On 3/7/2014 10:51 AM, Stian Thorgersen wrote:
>
> I don't understand how a hacker would use those redirect uris to obtain a code. localhost should always point to the local machine, so the code will never leave the machine. Same with urn:ietf:wg:oauth:2.0:oob in that case the only difference is that the code is displayed in the title of the page instead of the code query param. If a hacker is able to intercept the URL of a page in the browser he will be able to obtain the code no matter what the redirect-uri is.
>
Easy, the hacker doesn't use a browser just a simple script. The
client_id of a public client could be known and it just does GET
/auth-server/realms/foo/tokens/auth-request?client_id=...&...
The server sends a Location response with a localhost uri which contains
the query params which contains the code.
Google is protected from this because they don't have public clients.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list