[keycloak-dev] OAuth2 Incremental Authorization

Bill Burke bburke at redhat.com
Wed Apr 25 12:37:10 EDT 2018


On Wed, Apr 25, 2018 at 12:05 PM, Schuster Sebastian (INST/ESY1)
<Sebastian.Schuster at bosch-si.com> wrote:
> I think security levels should not be tied to client scopes directly because they represent the client's view (what he needs to ask for). Security levels should be bound to the resource servers view because he in the end decides what level of authentication is necessary to get access, e.g. by means of having certain roles in the token... However, I would like that feature.
>

So you think that security levels are decided by the app and not the
administrator?  That an app would request a certain security level
rather than the adminstrator mandating it?  IMO, I would think that it
would be better practice to have this metadata centralized and driven
by Keycloak rather than have the logic in the application.  That way
all the complexity is centralized too and there's a lot less coding
the app/service needs to do.  Think about it...if the app or service
decided on security levels, then any change in security policy would
require a refactor of the app/service and a respin/redeployment of it.
If everything is centralized then the app or service never needs to be
touched and can remain running.  Security policy changes become
immediate.



-- 
Bill Burke
Red Hat



More information about the keycloak-dev mailing list