[keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant

Bill Burke bburke at redhat.com
Wed Jan 29 10:07:50 EST 2014



On 1/29/2014 9:56 AM, Nils Preusker wrote:
> Hi Bill,
>
> maybe you can elaborate a bit on why you think 4.3 (Resource Owner
> Password Grant) is a potential security hole.
>

Keycloak has the concept of "scope".  Scope is the roles that a client 
is allowed to request for.  For instance, a user may have "admin" 
privileges, but you may not want to grant a token with admin privileges 
to specific client.

> Your assumption - that we want to control our own login screen - is
> correct.
>

We're adding style sheets and pluggable themes, maybe that could push 
you to move to a Keycloak hosted login screen?  I don't know.

> About your security concern, it is possible to just add fields (like a
> client id) to 4.3. As far as I'm aware, Saleforce does this with the
> "client_id" and "client_secret" parameters for API access to
> salesforce.com <http://salesforce.com>.
>

Yes, that's what I'm planning to do.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list