<div dir="ltr">Hey, that all sounds pretty good! So far I was a bit reluctant to use a third party login screen... But on second thought, the argument of being able to add credential types over time without having to change your application sounds pretty compelling.<div>
<br></div><div>Would you be interested in working together on a small AngularJS example to showcase the integration of keycloak and client side web-applications?</div><div><br></div><div>Cheers,</div><div>Nils<br><div><br>
</div><div><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 29, 2014 at 4:07 PM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
<br>
On 1/29/2014 9:56 AM, Nils Preusker wrote:<br>
> Hi Bill,<br>
><br>
> maybe you can elaborate a bit on why you think 4.3 (Resource Owner<br>
> Password Grant) is a potential security hole.<br>
><br>
<br>
</div>Keycloak has the concept of "scope". Scope is the roles that a client<br>
is allowed to request for. For instance, a user may have "admin"<br>
privileges, but you may not want to grant a token with admin privileges<br>
to specific client.<br>
<div class="im"><br>
> Your assumption - that we want to control our own login screen - is<br>
> correct.<br>
><br>
<br>
</div>We're adding style sheets and pluggable themes, maybe that could push<br>
you to move to a Keycloak hosted login screen? I don't know.<br>
<div class="im"><br>
> About your security concern, it is possible to just add fields (like a<br>
> client id) to 4.3. As far as I'm aware, Saleforce does this with the<br>
> "client_id" and "client_secret" parameters for API access to<br>
</div>> <a href="http://salesforce.com" target="_blank">salesforce.com</a> <<a href="http://salesforce.com" target="_blank">http://salesforce.com</a>>.<br>
><br>
<br>
Yes, that's what I'm planning to do.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div>