[keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant

[Nils Preusker]

Hey, that all sounds pretty good! So far I was a bit reluctant to use a
third party login screen... But on second thought, the argument of being
able to add credential types over time without having to change your
application sounds pretty compelling.

Would you be interested in working together on a small AngularJS example to
showcase the integration of keycloak and client side web-applications?

Cheers,
Nils




On Wed, Jan 29, 2014 at 4:07 PM, Bill Burke <bburke at redhat.com> wrote:

>
>
> On 1/29/2014 9:56 AM, Nils Preusker wrote:
> > Hi Bill,
> >
> > maybe you can elaborate a bit on why you think 4.3 (Resource Owner
> > Password Grant) is a potential security hole.
> >
>
> Keycloak has the concept of "scope".  Scope is the roles that a client
> is allowed to request for.  For instance, a user may have "admin"
> privileges, but you may not want to grant a token with admin privileges
> to specific client.
>
> > Your assumption - that we want to control our own login screen - is
> > correct.
> >
>
> We're adding style sheets and pluggable themes, maybe that could push
> you to move to a Keycloak hosted login screen?  I don't know.
>
> > About your security concern, it is possible to just add fields (like a
> > client id) to 4.3. As far as I'm aware, Saleforce does this with the
> > "client_id" and "client_secret" parameters for API access to
> > salesforce.com <http://salesforce.com>.
> >
>
> Yes, that's what I'm planning to do.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140129/227e8f6c/attachment.html