[keycloak-dev] Direct grant API enable/disable on per-app instead of realm
Marek Posolda
mposolda at redhat.com
Mon Jan 19 03:08:32 EST 2015
Sure, but if you set "bearer-only" you can't currently use basic
authentication for your rest endpoint:
https://github.com/keycloak/keycloak/blob/master/integration/adapter-core/src/main/java/org/keycloak/adapters/RequestAuthenticator.java#L55
and basic is checked on line 61.
So if you have rest application and you want it to support basic+bearer
authentication for the rest endpoint, you actually can't use bearer-only
for such application and hence you need to enter redirect URI for it.
Even if you don't need it.
To address this, I would suggest minor change in RequestAuthenticator,
so if my application is bearer-only and I have this in my keycloak.json:
"bearer-only": true,
"enable-basic-auth" : true
then it will allow both bearer+basic authentication.
Second change to suggest would be to support "Direct grants only" switch
for applications too, not just for oauth clients.
Marek
On 16.1.2015 20:27, Bill Burke wrote:
> If you set "bearer-only" you don't have to enter in a redirect URI.
>
> On 1/16/2015 12:49 PM, Marek Posolda wrote:
>> On 15.1.2015 16:38, Stian Thorgersen wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, 15 January, 2015 4:18:55 PM
>>>> Subject: Re: [keycloak-dev] Direct grant API enable/disable on
>>>> per-app instead of realm
>>>>
>>>> I don't know...Once you have one public client that supports direct
>>>> grants with a large enough scope, there's your attack vector.
>>> Well, sure if you enable if for a public client with the full scope it
>>> doesn't make much difference. But, currently you can't limit it at all
>>> other than turning it off completely.
>>>
>>> Also, another thing is that currently we require a redirect-uri to be
>>> registered for an app, but that shouldn't be required if an app only
>>> uses the direct grant.
>> +1, We allow to specify it for oauth client though, but oauth client
>> doesn't have it's own roles. So usually if you have oauth client with
>> "direct grants only" enabled, you need to give him some scopes to other
>> existing application or realm roles, which makes it even less safe.
>>
>> Also similar case is for recently added Basic authentication support.
>> When I have rest application, which should allow to authenticate my rest
>> endpoints either with "bearer" or "basic" authentication, it shouldn't
>> be needed to have redirect-uri configured for this application.
>> Currently it's needed.
>>
>> IMO we can easily fix it if we allow basic authentication for
>> "bearer-only" applications too (as long as they have "enable-basic-auth"
>> in adapter config). My understanding of "Bearer only application" is
>> kind of application, which can't request it's own access token, but just
>> allow rest authentication. So I am not seeing issue with allowing basic
>> auth for it.
>>
>> Marek
>>>
>>>>
>>>> On 1/15/2015 7:00 AM, Stian Thorgersen wrote:
>>>>> I propose we move the "Direct Grant API" enable/disable from the
>>>>> realm and
>>>>> add it to applications/clients instead. This allows greater control
>>>>> over
>>>>> what is exposed using the direct grant api.
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
More information about the keycloak-dev
mailing list