[keycloak-dev] Support for installed applications added (including example)
Bill Burke
bburke at redhat.com
Fri Mar 7 12:51:23 EST 2014
On 3/7/2014 12:18 PM, Bill Burke wrote:
>
>
> On 3/7/2014 10:51 AM, Stian Thorgersen wrote:
>>
>> I don't understand how a hacker would use those redirect uris to obtain a code. localhost should always point to the local machine, so the code will never leave the machine. Same with urn:ietf:wg:oauth:2.0:oob in that case the only difference is that the code is displayed in the title of the page instead of the code query param. If a hacker is able to intercept the URL of a page in the browser he will be able to obtain the code no matter what the redirect-uri is.
>>
>
> Easy, the hacker doesn't use a browser just a simple script. The
> client_id of a public client could be known and it just does GET
> /auth-server/realms/foo/tokens/auth-request?client_id=...&...
>
> The server sends a Location response with a localhost uri which contains
> the query params which contains the code.
>
Ugh, I'm stupid, that could happen irregardless.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list