[keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant
Bill Burke
bburke at redhat.com
Wed Jan 29 10:50:57 EST 2014
On 1/29/2014 10:32 AM, Nils Preusker wrote:
> Hey, that all sounds pretty good! So far I was a bit reluctant to use a
> third party login screen... But on second thought, the argument of being
> able to add credential types over time without having to change your
> application sounds pretty compelling.
>
Its not just that. Also each secured app gets "Forgot Password" "Lost
Authenticator" for free. Admin console can also force users to change
their password or update their authenticator.
> Would you be interested in working together on a small AngularJS example
> to showcase the integration of keycloak and client side web-applications?
>
We support this already. Keycloak Admin console is actually written in
Angular JS. We have two flavors for client side web apps.
* App's Server manages Keycloak interaction. Token is stored in the
Http Session. Client can obtain token after authentication by a REST
call to the App's Server. Keycloak Admin console uses this form.
* Pure client side app. Stian has written a JS lib for this. basically
performs all the same OAuth redirect protocol. Client (in addition to
the user) is authenticated by checking/matching redirect URIs. This
requires CORS set up though (which we also support).
For CORS we only support "validated CORS" currently. The auth token
contains the authorized origins which are validated on CORS requests.
Next release we want the App's Server to query the Keycloak admin server
for valid origins. This way you can make unauthenticated CORS requests
which can sstill protect against XSS.
We need to put an example and docs for all of this for the next release.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list