<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>I should add that both the OAuth 2.0 spec and the OpenID Connect 1.0 spec indicate that the in the authorization code flow the access token is not revealed to the user agent (see RFC-6749 section 1.3.1 and Open ID Connect Core 1.0 at the top of section 3). Passing the access token to the user agent removes the security benefit of using this flow.<br></div>
<div> </div>
<div>Does Keycloak support a flow where the access token is not passed to the user agent?<br></div>
<div> </div>
<div> </div>
<div>On Fri, Apr 29, 2016, at 01:58 PM, Aikeaguinea wrote:<br></div>
<blockquote type="cite"><div>I understand that RFC-6749 only says that the user agent is typically a browser, but that's not a requirement of the spec. In this case, it isn't going to be. <br></div>
<div> <br></div>
<div>The security advantage of the authorization code flow is that the access token is transmitted directly to the client application without passing it through the resource owner's user agent. The request for the access token is made on the server side, and there is no requirement that the access token then be passed back to the user agent. Once the server validates the access token, it can consider the user's session as logged in and can associate that session with the permissions returned to it in the access token. If session state is held on the server, the user's session identifier then need contain no information about the user's ID and permissions; if the session information is maintained on the client side, the user's session token can be encrypted, which is not currently the case with Keycloak's signed JWT tokens.<br></div>
<div> <br></div>
<div> <br></div>
<div>On Fri, Apr 29, 2016, at 12:13 AM, Stian Thorgersen wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div> <br></div>
<div><div> <br></div>
<div><div>On 28 April 2016 at 17:53, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>></span> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><u></u><br></div>
<div><div>We have something of a special case. We have privileged devices for which we will use service accounts and certificates/JWT based authentication.<br></div>
<div> <br></div>
<div>Then we will have a user (employee of ours) perform a second log in to the application running on the device. The particulars don't allow us to use a browser in this instance. (For one thing, the user's credentials are not a username/password -- I've had to create a special authenticator for this purpose. But this isn't the only reason.) So, to Brian's question, we are not embedding these credentials in our code.<br></div>
</div>
</blockquote><div> <br></div>
<div>That would normally be an argument for using a browser. Using an embedded browser allows you to enable different authentication modes in Keycloak without modifying your applications. Keycloak has built-in support for authentication Kerberos tickets for example, all without the applications knowledge. <br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><div> <br></div>
<div> <br></div>
<div>Since the device is trusted, we could use the password credentials grant. However, since this is a fairly high-security situation we'd prefer not to be sending access tokens over the wire, particularly if we're only relying on TLS for encrypting the token.<br></div>
</div>
</blockquote><div> <br></div>
<div>If you're not sending access tokens over the wire, what are you sending over the wire? That's how Keycloak works and an access token is always going to be sent over the wire. Doesn't matter what flow you use. You can choose exactly what goes into the token though.<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><div> <br></div>
<div> <br></div>
<div>We could, on the other hand, use the authorization code flow--I'd just have to follow the redirects and dig the form action out of the form that's returned in the challenge page. I was just wondering if there was some way to access that URL other than by chomping on the HTML, e.g., by using a different "Accept:" header.<br></div>
</div>
</blockquote><div> <br></div>
<div>The authorization code flows is by design a purely browser flow. Using this outside of the browser isn't the correct approach. The direct access grant (resource owner credentials) is the flow you want to use if you're not going to use a browser.<br></div>
<div> <br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div><div> <br></div>
<div><div><div> <br></div>
<div> <br></div>
<div>On Thu, Apr 28, 2016, at 12:58 AM, Stian Thorgersen wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div>The answer depends on what your code is doing:<br></div>
<div> <br></div>
<div>a) Is it a server not invoking services on behalf of users, but rather on behalf of itself? Then use service accounts and you can also use public/private key based auth here (client credential flow from oauth2).<br></div>
<div>b) Is it a user logging in through a non-browser based application? Then the ideal option if possible is to embed a web browser and use the authorization code flow. The alternative is to use direct grant (resource owner credential grant flow from oauth2).<br></div>
<div>c) Is it a background process invoking a service on behalf of users when the users are not online? Then use offline tokens.<br></div>
</div>
<div><div> <br></div>
<div><div>On 27 April 2016 at 17:17, Aikeaguinea <span dir="ltr"><<a href="mailto:aikeaguinea@xsmail.com">aikeaguinea@xsmail.com</a>></span> wrote:<br></div>
<blockquote style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-width:1px;border-left-color:rgb(204, 204, 204);border-left-style:solid;padding-left:1ex;"><div>As I understand it, using the authorization code flow rather than the<br></div>
<div>implicit flow is recommended where possible.<br></div>
<div> <br></div>
<div>We have a server-side client application, but the user agents making<br></div>
<div>requests are not browsers, but instead our own code.<br></div>
<div> <br></div>
<div>I'm not entirely sure how to make the authorization code flow work<br></div>
<div>without a browser. For instance, if on the command line I request<br></div>
<div> <br></div>
<div>curl<br></div>
<div>'http://host:port/auth/realms/foo/protocol/openid-connect/auth?response_type=code&client_id=test-client&state=state&redirect_uri=<a href="http://www.example.com/hello-world">http://www.example.com/hello-world</a>'<br></div>
<div> <br></div>
<div>Then (assuming the parameters are correct) I get back an HTML login page<br></div>
<div>with a form. In order to submit the credentials, I would need to dig the<br></div>
<div>URL out of the action of the form and then submit a request like<br></div>
<div> <br></div>
<div>curl -X POST -d 'username=test-user' -d 'password=test1234'<br></div>
<div>'http://host:port/auth/realms/foo/login-actions/authenticate?code=Ctr79aRsbwPPkC4nEeT2vR9-TuC31uuXngQXoHQH6FE.ef26cfcd-a35b-4d1e-a4f7-49790f6e2f00&execution=a86f56da-9900-4f1d-a461-f18617a2333b'<br></div>
<div> <br></div>
<div>Three questions:<br></div>
<div>1. Is there some reason I shouldn't be trying to implement the<br></div>
<div>authorization code flow like this?<br></div>
<div> <br></div>
<div>2. Is there a way to get the proper login action back without having to<br></div>
<div>dig it out of an HTML form? I've tried adding --header "Accept:<br></div>
<div>application/json" to the command but this has no effect.<br></div>
<div> <br></div>
<div>3. Is there a way of submitting credentials other than by using form<br></div>
<div>parameters? I've tried HTTP basic auth but it doesn't work for me.<br></div>
</blockquote></div>
</div>
</blockquote></div>
</div>
</div>
</blockquote></div>
</div>
</div>
</blockquote><div> <br></div>
<pre>--
http://www.fastmail.com - Send your email first class
<br></pre></blockquote><div> </div>
<div id="sig3995191"><div class="signature">--<br></div>
<div class="signature"> Aikeaguinea<br></div>
<div class="signature"> aikeaguinea@xsmail.com<br></div>
<div class="signature"> </div>
</div>
<div> </div>
<pre>
--
http://www.fastmail.com - A fast, anti-spam email service.
</pre>
</body>
</html>