<div dir="ltr">Hi Bill,<div><br></div><div>maybe you can elaborate a bit on why you think 4.3 (Resource Owner Password Grant) is a potential security hole. </div><div><br></div><div>Your assumption - that we want to control our own login screen - is correct. </div>
<div><br></div><div>About your security concern, it is possible to just add fields (like a client id) to 4.3. As far as I'm aware, Saleforce does this with the "client_id" and "client_secret" parameters for API access to <a href="http://salesforce.com">salesforce.com</a>.</div>
<div><br></div><div>Cheers,</div><div>Nils</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 29, 2014 at 3:22 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We do support 4.3, but I'm thinking of removing it as IMO it is a<br>
potential security hole. I'm thinking of augmenting 4.3 so that the<br>
client additionally has to pass it's own credentials as well as the<br>
user's.<br>
<br>
I guess you want to do this because you want to control your own login<br>
screen? IMO, you lose a lot of the benefits of Keycloak by doing this<br>
(credential reset, acct mgmt, etc.). Keycloak also allows you to add<br>
additional credential types over time without changing your application<br>
at all. (i.e. if you wanted to add OTP).<br>
<div><div class="h5"><br>
On 1/29/2014 6:49 AM, Nils Preusker wrote:<br>
> Hi all,<br>
><br>
> first of all, congrats on the first alpha release of Keycloak!<br>
><br>
> We're looking for a simple and lean way to add the OAuth 2.0 Resource<br>
> Owner Password Credentials Grant to a web application written in<br>
> JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to<br>
> WildFly, JAX-RS etc.).<br>
><br>
> Since I didn't find any references in the code or the docs, I'm<br>
> wondering: does Keycloak provide an implementation of the Resource Owner<br>
> Password Credentials Grant as described in the OAuth Spec<br>
> (<a href="http://tools.ietf.org/html/rfc6749#section-4.3" target="_blank">http://tools.ietf.org/html/rfc6749#section-4.3</a>)? In other words, is<br>
> there a way to simply send a username and password to the auth server in<br>
> exchange for an access token (and optionally a refresh token - from<br>
> previous posts I gather this will be added soon...)?<br>
><br>
> Cheers,<br>
> Nils<br>
><br>
><br>
</div></div>> _______________________________________________<br>
> keycloak-user mailing list<br>
> <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</font></span></blockquote></div><br></div>