[keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant

Nils Preusker n.preusker at gmail.com
Wed Jan 29 09:56:17 EST 2014 

Hi Bill,

maybe you can elaborate a bit on why you think 4.3 (Resource Owner Password
Grant) is a potential security hole.

Your assumption - that we want to control our own login screen - is
correct.

About your security concern, it is possible to just add fields (like a
client id) to 4.3. As far as I'm aware, Saleforce does this with the
"client_id" and "client_secret" parameters for API access to salesforce.com.

Cheers,
Nils




On Wed, Jan 29, 2014 at 3:22 PM, Bill Burke <bburke at redhat.com> wrote:

> We do support 4.3, but I'm thinking of removing it as IMO it is a
> potential security hole.  I'm thinking of augmenting 4.3 so that the
> client additionally has to pass it's own credentials as well as the
> user's.
>
> I guess you want to do this because you want to control your own login
> screen? IMO, you lose a lot of the benefits of Keycloak by doing this
> (credential reset, acct mgmt, etc.).  Keycloak also allows you to add
> additional credential types over time without changing your application
> at all.  (i.e. if you wanted to add OTP).
>
> On 1/29/2014 6:49 AM, Nils Preusker wrote:
> > Hi all,
> >
> > first of all, congrats on the first alpha release of Keycloak!
> >
> > We're looking for a simple and lean way to add the OAuth 2.0 Resource
> > Owner Password Credentials Grant to a web application written in
> > JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to
> > WildFly, JAX-RS etc.).
> >
> > Since I didn't find any references in the code or the docs, I'm
> > wondering: does Keycloak provide an implementation of the Resource Owner
> > Password Credentials Grant as described in the OAuth Spec
> > (http://tools.ietf.org/html/rfc6749#section-4.3)? In other words, is
> > there a way to simply send a username and password to the auth server in
> > exchange for an access token (and optionally a refresh token - from
> > previous posts I gather this will be added soon...)?
> >
> > Cheers,
> > Nils
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140129/05a20cd5/attachment-0001.html

More information about the keycloak-user mailing list