On 3/7/2014 9:13 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 7 March, 2014 1:26:50 PM
> Subject: Re: [keycloak-dev] Support for installed applications added (including
example)
>
> Couuldn't a lot of the example be pulled into an adapter library and
> reused?
Yes, that would be good. I mainly wanted to tick the box that we support installed
applications. With these redirect uris we can claim we support CLI, desktop apps, etc..
> Also, is there any security hole you've introduced with being
> able to cut/paste the access token from the browser? If there is a
> public client, can a hacker now get an access token?
Don't think so. It's just the code that's available not the token, and
that's available from the query param in either case. It just displays it in the title
and page instead.
Still sounds like a security hole for public clients. For public
clients we can "validate" that the access *code* is going to a valid
client because of HTTPS. If this "Cordova" support is on by default,
then the hacker can just send a redirect_uri of
"urn:ietf:wg:oauth:2.0:oob" or "http://localhost" and obtain the
access
code. Is "CORDOVA" support on by default currently?
Google clients require a secret.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com