[keycloak-user] Secured application configuration question

[Juraci Paixão Kröhling]

I don't know about the specifics of apiman, but this secret is not used 
only for direct access grants, in general. All in all, I'm not a big fan 
of shipping with a default secret/password (or any security "token").

If that also makes you feel not comfortable, you might want to try to 
change the "credential" for the "apiman" client on the "apiman" realm 
via the Keycloak admin console:

- login to the auth console (admin:admin are the default credentials)
- select the apiman realm on the top-left
- select "Clients" and then "apiman"
- select the second tab, "Credentials"
- "Regenerate secret"

This new secret should go into the standalone.xml, as value for all 
"kc:credential[name=secret]" whose realm/resource are "apiman".

- Juca.

On 09.12.2015 03:20, Paul Blair wrote:
> I'm setting up apiman with Keycloak and have a question that the folks
> on the apiman user list suggested I ask here.
>
> In the Wildfly configuration for apiman, I see several entries like this
> (one for each war file):
>
>        <kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0"
> name="apiman.war">
>          <kc:realm>apiman</kc:realm>
>          <kc:resource>apiman</kc:resource>
>          <kc:credential name="secret">password</kc:credential>
>
> I'm noticing that they fill in the word "password" here, but in their
> instructions they don't specify to replace it with a particular
> password. My guess is that this credential is used only for applications
> that request REST Direct Access Grants, and that since apiman doesn't do
> that, they can use a dummy password in this configuration.
>
> Is it correct that this credential is used only for Direct Access Grants?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>