noon
We have this option already. Its called Scopes. You assign a scope to
an OAuth Client. The scope is a set of roles the oauth client is
allowed to ask for when logging in a user. So, a mobile native app
could just have a limited scope and public credentials.
Maybe what could be done is after the OAuth Grant Page, the mobile
client would be given a token that allows it to register itself and
create unique credentials with the admin server.
On 9/20/2013 11:05 AM, Stian Thorgersen wrote:
Maybe there could be an option on the application to mark it as
client-side, then any applications that are marked as client-side would never be granted
any oauth permissions?
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 20 September, 2013 4:04:36 PM
> Subject: Re: [keycloak-dev] application configuration idea
>
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 20 September, 2013 3:48:05 PM
>> Subject: Re: [keycloak-dev] application configuration idea
>>
>>
>>
>> On 9/20/2013 10:29 AM, Stian Thorgersen wrote:
>>> Can you not just remove the password from the config file completely -
>>> and
>>> pass the password directly using the system property?
>>>
>>
>> Config might also include:
>>
>> * TOTP Key
>> * Key pair and cert for two-way SSL.
>
> Forgot that - with that in mind then encryption + password is a good approach
> - would be good if it could be enabled/disabled for a realm though
>
>>
>>
>>> Another related thing, this only works for server-side
>>> applications/services - for client-side applications the application
>>> credentials aren't available (if they are an attacker can access them by
>>> simply downloading the application). To my understanding this means we
>>> need to support the implicit flow for client-side applications?
>>>
>>
>> Depends how the mobile native app wants to do authentication.
>> Application credentials help prevent spoofing attacks. i.e. making the
>> user think they are logging into Bank of America or something when
>> you're really logging into the attacker's site. Auth server requires
>> client to authenticate before turning a access code into an access
>> token. Mobile is different because the relationship between user and
>> application is 1 to 1. I'm not sure what to do for native mobile apps.
>
> I guess if application doesn't have access to anything that's not public
it's
> there's no security implications of the key/secrets to it being leaked. So
> with that in mind you could still use the full flow for both html5 and
> mobile (and any other client-side stuff, consoles, desktop apps, etc..)
>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com