[keycloak-dev] <kc:bearer-only> and BASIC auth

Bill Burke bburke at redhat.com
Fri Aug 21 13:26:27 EDT 2015


Oh, FYI, BASIC auth problem should be fixed next release (early September).

On 8/21/2015 1:23 PM, Bill Burke wrote:
> I won't give somebody what they want if it is the wrong decision.  Its
> better to enforce best practices.  BASIC Auth is a fine protocol, the
> issue is that the remote app gets access to credentials.
>
> On 8/21/2015 1:02 PM, Eric Wittmann wrote:
>> I'm not a fan of basic auth either, but ... give the people what they want?
>>
>> We had to implement a BASIC Authentication Policy in apiman for the same
>> reason - lots of people use it and want it still.
>>
>> On 8/21/2015 11:09 AM, Bill Burke wrote:
>>> BTW, I despise our Basic Auth option.  One of the points of SAML/OIDC is
>>> that the application never has access to user credentials.  Using Basic
>>> Auth violates that principle....But to each his own...
>>>
>>> On 8/21/2015 10:03 AM, Bill Burke wrote:
>>>> https://issues.jboss.org/browse/KEYCLOAK-1778
>>>>
>>>> committing a fix for this in next hour or so.  Please elaborate on your
>>>> CORS problem though.
>>>>
>>>> On 8/21/2015 9:56 AM, Bill Burke wrote:
>>>>> I'm more interested in the CORS problems.  What you want is an easy
>>>>> fix.
>>>>>
>>>>> On 8/21/2015 9:47 AM, Eric Wittmann wrote:
>>>>>> Can we get an option that disables the login redirect but still allows
>>>>>> BASIC auth to work?
>>>>>>
>>>>>> -Eric
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>
>>>>>
>>>>
>>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list