[keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant
Bill Burke
bburke at redhat.com
Wed Jan 29 10:07:50 EST 2014
On 1/29/2014 9:56 AM, Nils Preusker wrote:
> Hi Bill,
>
> maybe you can elaborate a bit on why you think 4.3 (Resource Owner
> Password Grant) is a potential security hole.
>
Keycloak has the concept of "scope". Scope is the roles that a client
is allowed to request for. For instance, a user may have "admin"
privileges, but you may not want to grant a token with admin privileges
to specific client.
> Your assumption - that we want to control our own login screen - is
> correct.
>
We're adding style sheets and pluggable themes, maybe that could push
you to move to a Keycloak hosted login screen? I don't know.
> About your security concern, it is possible to just add fields (like a
> client id) to 4.3. As far as I'm aware, Saleforce does this with the
> "client_id" and "client_secret" parameters for API access to
> salesforce.com <http://salesforce.com>.
>
Yes, that's what I'm planning to do.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list