[keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant
Stian Thorgersen
stian at redhat.com
Wed Jan 29 10:03:24 EST 2014
----- Original Message -----
> From: "Nils Preusker" <n.preusker at gmail.com>
> To: keycloak-user at lists.jboss.org
> Sent: Wednesday, 29 January, 2014 2:56:17 PM
> Subject: Re: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant
>
> Hi Bill,
>
> maybe you can elaborate a bit on why you think 4.3 (Resource Owner Password
> Grant) is a potential security hole.
>
> Your assumption - that we want to control our own login screen - is correct.
In the next alpha we'll provide support for customizing the login screens. Through CSS and/or by custom templates. Would that cover your needs?
>
> About your security concern, it is possible to just add fields (like a client
> id) to 4.3. As far as I'm aware, Saleforce does this with the "client_id"
> and "client_secret" parameters for API access to salesforce.com .
>
> Cheers,
> Nils
>
>
>
>
> On Wed, Jan 29, 2014 at 3:22 PM, Bill Burke < bburke at redhat.com > wrote:
>
>
> We do support 4.3, but I'm thinking of removing it as IMO it is a
> potential security hole. I'm thinking of augmenting 4.3 so that the
> client additionally has to pass it's own credentials as well as the
> user's.
>
> I guess you want to do this because you want to control your own login
> screen? IMO, you lose a lot of the benefits of Keycloak by doing this
> (credential reset, acct mgmt, etc.). Keycloak also allows you to add
> additional credential types over time without changing your application
> at all. (i.e. if you wanted to add OTP).
>
> On 1/29/2014 6:49 AM, Nils Preusker wrote:
> > Hi all,
> >
> > first of all, congrats on the first alpha release of Keycloak!
> >
> > We're looking for a simple and lean way to add the OAuth 2.0 Resource
> > Owner Password Credentials Grant to a web application written in
> > JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to
> > WildFly, JAX-RS etc.).
> >
> > Since I didn't find any references in the code or the docs, I'm
> > wondering: does Keycloak provide an implementation of the Resource Owner
> > Password Credentials Grant as described in the OAuth Spec
> > ( http://tools.ietf.org/html/rfc6749#section-4.3 )? In other words, is
> > there a way to simply send a username and password to the auth server in
> > exchange for an access token (and optionally a refresh token - from
> > previous posts I gather this will be added soon...)?
> >
> > Cheers,
> > Nils
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list